How we can secure the local.setting.json file inside our Azure Function before deploying it to Azure

john john 906 Reputation points

I am building an Azure Function >> and inside its local.settings.json, i am storing some sensitive data, as follow:-

  "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "UseDevelopmentStorage=true",
    "SiteUrl": "***",
    "TenantId": "0***",
    "ClientId": "9****",
    "CertificateThumbPrint": "E***",

So can i secure those values and store them inside Azure key vault ? can anyone provide some sample code please?

Second question. now when i deployed those settings to Azure Function and i access the Azure Function Configuration >> i got that those settings are encrypted already, so does this mean that there is no need to store those configuration inside Azure Key vault as seems there are already encrypted and offered over https?

User's image

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,042 questions
Azure Functions
Azure Functions
An Azure service that provides an event-driven serverless compute platform.
3,986 questions
0 comments No comments
{count} votes

2 answers

Sort by: Most helpful
  1. Bruno Lucas 4,411 Reputation points MVP


    You can put the secrets in the azure vault and point to the vault using vault references.:


    for example, you add a password to the vault and this to your local.settings.json


    you can use that in both local.settings.json and in the Function app "app settings" for better security

  2. JamesTran-MSFT 35,806 Reputation points Microsoft Employee

    john john

    Thank you for your post and I apologize for the delayed response!

    Adding onto what was mentioned by Bruno Lucas - I understand that you want to secure your Azure Function's local.settings.json values within the Key Vault. To do this, you can use the Reference syntax, which is in the form of @Microsoft.KeyVault({referenceString}), where {referenceString} is replaced by one of the following options:

    • SecretUri=*secretUri *
    • VaultName=vaultName;SecretName=secretName;SecretVersion=secretVersion

    For example, a complete reference would look like the following:

    • @Microsoft.KeyVault(SecretUri=
    • @Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)

    Key Vault references can be used as values for Application Settings, allowing you to keep secrets in your Key Vault instead of the site config. Application Settings are securely encrypted at rest, but if you need secret management capabilities, they should go into Key Vault. For more info.

    I hope this helps!

    0 comments No comments