Function APP and KV integration

Create a function App and enable system assigned identity

Create a Keyvault and add a secret (Name in my case)

Configure Access policies for the function app in keyvault

Create an access policy in Key Vault for the application identity you created earlier. Enable the "Get" secret permission on this policy. Do not configure the "authorized application" or applicationId settings, as this is not compatible with a managed identity.

https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references

Key Vault references currently only support system-assigned managed identities. User-assigned identities cannot be used.

We are granting our function app permissions to get and list all the secrets in this keyvault.

Add Key Vault secrets reference in the Function App configuration

Go to the keyvault and click on the secret we just created.

Copy the secret identifier. We need to add this value to the function app configuration.

@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)

Go to the configuration section in the keyvault and add the value.

Now we can directly read the secrets using inside the function app

 var password =  Environment.GetEnvironmentVariable("mypassword", EnvironmentVariableTarget.Process);

#r "Newtonsoft.Json"

using System.Net;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Primitives;
using Newtonsoft.Json;

public static async Task<IActionResult> Run(HttpRequest req, ILogger log)
{
     log.LogInformation("C# HTTP trigger function processed a request.");
     var password =  Environment.GetEnvironmentVariable("mypassword", EnvironmentVariableTarget.Process);

      log.LogInformation($"password: {password}");
     
     return new OkObjectResult(password);
}

OUTPUT

Comments

App Role assignment to service principal --

Using Ms Graph Rest API's Permissions One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions . Permission type Permissions (from least to most privileged) Delegated (work or school account) AppRoleAssignment.ReadWrite.All and Application.Read.All, AppRoleAssignment.ReadWrite.All and Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All Delegated (personal Microsoft account) Not supported. Application AppRoleAssignment.ReadWrite.All and Application.Read.All, AppRoleAssignment.ReadWrite.All and Directory.Read.All, Application.ReadWrite.All, Directory.ReadWrite.All Create 2 app registrations. App role owner will contain the app role that will be assigned to a service principal. The reader role in approleowner will be added to the approlesubscriber Setup postman to use the Oauth auth flow to get a token for MS Graph. ClientId: Application (client) ID for approlesubscrib...

ASp.net core 3.1 identity

It is just an extension to cookie authentication. We get a UI, Tables, helper classes, two factor authentication etc. Even EF and its database constructs. So instead of writing code for all of this we can just use these in built features. Extending Default Identity Classes Add a class that inherits from public class AppUser : IdentityUser { public string Behavior { get; set; } } Also change the user type in login partial.cs under shared folder Then add migrations and update db using migrations. We can customize further. services.AddDefaultIdentity<AppUser>(options => { options.SignIn.RequireConfirmedAccount = true; options.Password.RequireDigit = false; ...

Get user groups

string[] scopes = new string[] { "https://graph.microsoft.com/.default" }; string clientId = ""; string tenantId = ""; string secret = ""; var options = new TokenCredentialOptions { AuthorityHost = AzureAuthorityHosts.AzurePublicCloud }; // https://learn.microsoft.com/dotnet/api/azure.identity.clientsecretcredential try { var clientSecretCredential = new ClientSecretCredential( ...

Anish's Notebook

Search This Blog