Share via

Store the Azure Function setting inside Azure Key Vault

john john Pter 1,065 Reputation points
2025-03-18T10:34:01.58+00:00

I have created a new Project inside Visual Studio 2022, of type Azure Function, I defined 3 parameters inside the local.settings.json (APIUsername + API Password + DBConnectionString) as follow:-

{

**"IsEncrypted": false,**

"Values": {

**"AzureWebJobsStorage": "UseDevelopmentStorage=true",**

**"FUNCTIONS_WORKER_RUNTIME": "dotnet-isolated",**

**"APIUsername": "***",**

**"APIPassword": "****",**

**"DBConnectionString": "**"**

}

}

Now inside the code i get those values using this

private string connectionString = Environment.GetEnvironmentVariable("DBConnectionString");

private string username = Environment.GetEnvironmentVariable("APIUsername")

private string pass = Environment.GetEnvironmentVariable("APIUsername")

now from VS >> I deployed the code inside Azure Function:-

User's image

Then i got a message that project was successfully deployed... when i access the Azure Function's Configuration, i got this message:-

User's image

so i went to Environment variables >> where i manually created the 3 variables as follow:-

User's image

now to secure those variables , we created 3 secrets inside Azure Key value, and we grant the azure function Reader role on the secrets. but now , how i can configure those 3 environment variables to read their data from azure key vault's secrets?

Second question, is writing the values directly to the environment variables , consider secure? or we better store those inside Azure key vault's secrets ?

Thanks

Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
5,930 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. chrischin 915 Reputation points Microsoft Employee
    2025-03-18T14:43:16.1633333+00:00

    It is more secure to store the secrets in Azure Key Vault.

    How did you grant the Function reader role? Did you first enable a managed identity?

    As for granting read access:

    Confirm the authorization model being used with your Key Vault.

    The easiest ways to reference the secrets, is to use this syntax in your App Settings: @Microsoft.KeyVault(SecretUri=<url to your secret in key vault>).

    See the entire reference on this here: https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.