Title: Accessing Azure storage account by function app using Key secrets
Introduction: All my articles are compiled into simple steps with detailed screen shots and elaborative description. By following these steps even, a novice programmer should be able to replicate scenario. Please go through the steps and provide your valuable feedback to make my next articles more clearer and intent.
Note: I took help of various internet sources while researching this item. Credit goes to internet and Microsoft communities. This is one of the topics in Azure certification.
This is my 11th article on Azure.
Please follow below links for my previous Azure articles
Azure Key Vault With Logic App
Azure Key Vault With Data Factory
Accessing Azure Blob Containers
Follow below mentioned 32 steps to Access Azure storage account by function app using key vault secrets.
After completing this blog, you will be able to do
- What is Azure function app
- Creating and configuring azure secret keys
- Configure connection strings by using keys
- Providing access permissions to keys
- Use keys to access resources by using function apps
Sample Description: We are storing a json file in blob container. Function app needs to read that json file. Connection string for this storage account will be exposed by defining a secret key. Function app access that secret to get connection string for storage account.
Step 1: Open Azure portal (https://portal.azure.com)
Step 2: Create a storage account as shown below
Step 3: Access storage account and collect connection string from keys blade. This connection string, we will use it in next steps to define our key vault.
Step 4: Create a blob container and upload json file. Initially, blob anonymous access level. Later will change.
Step 5: Select the json uploaded in previous step> Copy URL
Step 6: Now try to access this json file by using URL. If access level is Blob anonymous, you can access the json by using URL. If access level is private, you cannot access by browsing URL. Please see below screen shots in both cases.
Step 7: I restricted my json file access. Outsiders can not access my json file by using its URL. My user application should read this json file from out side azure. To achieve this I will implement below steps.
Step 8: Create a new key vault as shown below
Step 9: Access key vault you created in earlier step and select secret blade. Create a new secret by clicking on Generate/Import button. In value field, provide the connection string we collected from step 3. Applications can read this connection string to get access to the storage account
Step 10: Now we will create a azure function app which in later stages access the json file we created earlier. Copy function app name, we will use it in next steps.
Step 11: Access the function app we created earlier and select identity blade from settings section. Enable System assigned managed identity and save your changes. This setting will allow other resources to access your function app and provide required accesses
Step 12: In this step we are going to create an access policy in key vault. This access policy will allow function app to access the key vault and read the keys and secrets.
Access key vault and click on Access Policies blade.
Step 13: Now click on new Access Policy link and provide access to function app.
As we are going to provide access to our secret keys, select Get Permission on Secret Permission dropdown. Click on Select Principal link and search for the function app we created and select.
Now your function app has been provisioned to access secret keys from the key vault.
Step 14: Now we need to work on code part of our function app. As I created my function app with .net core settings, I will develop and deploys a dot net core function app using visual studio code and dot net tools. First, I will demonstrate how function app is reading and displaying the connection string, then I will add the code to read and display the json file.
Step 15: Open a folder by using visual studio code. Open the terminal and execute below command. This command will create a function app project in the current folder.
func init –worker-runtime dotnet –force
After creating project execute dotnet build command to make sure everything is proper.
Step 16: Now we need to create a File by using HttpTrigger template. This file will be used to create Http Event and access information
Use below command to crate Http Trigger
func new –template “HTTP trigger” –name “MatetiTrigger”
Step 17: Access secret key we created in earlier steps and collect Secret Identifier as shown below.
Step 18: By using above identifier create a new application settings in function app. Select function app we created and select Configuration blade from settings section. Then click on New Application settings.
By using identifier, construct below string and place it in the value field.
@Microsoft.KeyVault(SecretUri=Secret Identifier)
@Microsoft.KeyVault(SecretUri=https://jsonsecretvault.vault.azure.net/secrets/JsonSecretConnectionString/7a2b7c78f3174f7f9ac1ac9bfa4da7aa)
Step 19: Grab the name of the application setting we created in previous step and add it to local.settings.json file in function app
Step 20: Open Http Trigger we created earlier in step #16 and clear file content.
Step 21: The add below name spaces to the same file
using Microsoft.AspNetCore.Mvc;
using Microsoft.Azure.WebJobs;
using Microsoft.AspNetCore.Http;
using System;
using System.Threading.Tasks;
Step 22: Add a class name to the above file. Also add a run method to it. This run method will use the connection string we defined in local settings file and displays its value. After making all these changes, you code looks as shown below.
Step 23: Now we will do a local temporary deployment by using below command. This command will deploy function app locally
func start –build
Step 24: As shown in above image, access the URL (http://localhost:7071/api/MatetiTrigger) by using defferent tools like post man or HttpRepl or fiddler
When you access the application you can see the value as shown in below image. This value has been picked up from local settings file. When you deploy this in to azure, it will display actual connection string
Step 25: Now its time to deploy this function app in to azure. As of now this function app need to read connection string from key vault and display the value. I am going to deploy this function app code into the function app we created in earlier steps.
To deploy function app first, you need to connect to azure from visual studio terminal. You need to login to the same azure account when you created function app.
Step 26: After successful login execute below command. This command will deploy the code into the function app we created in azure
func azure functionapp publish FunctionAppMateti
Step 27: Now its time to verify our function app. When we run function app from azure, it should display the connection string.
Select function app in azure and click on Function’s blade as shown below.
Step 28: Select the function app “MatetiTrigger” and Select “Code+Test” blade.
Then click on Test/Run tab, select Get option in HttpMethod drop down.
After that click on Run button. Your out put should be the connection string as shown below
Step 29: Our initial test of function app is working fine. However, function app is not simply used to read and display connection string. We will modify our function app to read blob container by using this connection string and retrieve the json file.
Go to visual studio terminal and execute below command. This will add required namespaces (which can be used to read blob information) to our function app application.
dotnet add package Azure.Storage.Blobs –version 12.6.0
Step 30: Add below name space to our trigger class
using Azure.Storage.Blobs;
Also update run method with below code
string connectionString = Environment.GetEnvironmentVariable(“SecretConnectionString”);
BlobClient blob = new BlobClient(connectionString, “myjsonfile”, “records.json”);
var response = await blob.DownloadAsync();
return new FileStreamResult(response?.Value?.Content, response?.Value?.ContentType);
Above code is connecting to blob container by using the key, retrieving json file content and returning.
Step 31: You can deploy this code in local and verify the result.
Then login to azure and re deploy the application as step #26.
Step 32: If you perform step #28, you will see output of json file
We successfully deployed function app, which is reading content of blob by using a secret key from key vault.
Happy Coding!!!
Site Title 
4 thoughts on “Accessing Azure storage account by function app using Key secrets”