Securing PaaS – Securing Azure Functions with Managed Service Identities

Synopsis: In this exercise, attendees will learn how to use Azure Functions that access Azure Key Vault as a Managed Service Identity.

Task 1: Create an Azure Function

  1. Open the Azure Function App creation page (https://portal.azure.com/#create/Microsoft.FunctionApp)
  2. For the name, enter MSIKeyVaultFunc-[Your Initials].
  3. Select your resource group.
  4. Ensure that your location matches what you have been using.
  5. For Storage, select the storage account.
  6. Select Create.
  7. Select Function Apps.
  8. Once provisioning completes, select your new function app.
  9. Select the Functions node.
  10. Select New function.In the Function Apps blade, New function is selected.
  11. Select HTTP trigger.Under Choose a template, the HTTP trigger tile is selected.
  12. For the language select C#.
  13. Keep the name HttpTriggerCSharp1.Under Few Function, fields are set to the previously defined settings.
  14. Select Create.
  15. Open the extracted folder file \AzureFunction\run.csx.
  16. Copy the contents into the window.The Save button is selected in the run.csx window.
  17. Select Save.
  18. Select View Files.
  • NOTE: You may need to scroll to the right to see the View Files tab.
  1. Select +Add.
  2. For the name, enter project.json.Screenshot of the Add button and the project.json file icon.
  3. Press Enter.
  4. Open the \AzureFunction\project.json file, copy the contents to the online version.
  5. Select Save.

Task 2: Create a Managed Service Identity

  1. Select the MSIKeyVaultFunc-[your initials] function node.
  2. Select the Platform features tab.In the Function apps blade, the Platform features tab is selected.
  3. Under Networking, select Managed service identity.Under Networking, Managed service identity is selected.
  4. For the Register with Azure Active Directory setting, toggle it to On.In the Managed service identity pop-up, Register with Azure Active Directory is set to On.
  5. Select Save.

Task 3: Assign Managed Service Identity Azure Key Vault permissions

  1. Select Key vaults.
  2. Select your key vault.
  3. Select Access policies.
  4. Select +Add new.In the blade, under Settings, Access policies is selected. At the top, Add new is selected.
  5. Select the Select principal.
  6. Search for the MSIKeyVaultFunc application, select it.In the Add access policy blade, Select principal is selected. In the Principal blade, MSIKeyVaultFunc is selected.
  7. Select Select.
  8. Select the Secret permissions drop down, check the Get and List permissions.Under Secret permissions, the Select all check box is selected. Under Secret Management Operations, checkboxes for Get and List are selected.
  9. Select OK.
  10. Select Save, you should now see the application listed:The applications list displays with two applications listed.

Task 4: Test your Azure Function

  1. Select Key vaults.
  2. Select Secrets.
  3. Select +Generate/Import.
  • NOTE: If you can’t add a new Secret, you will need to assign yourself permission to do so via Access policies.
  1. In Upload options, select Manual.
  2. For the name, enter FunctionSecret.
  3. For the value, enter HelloWorld.In the Create a secret blade, fields are set to the previously defined settings.
  4. Select Create.
  5. Select FunctionSecret.
  6. Select the current version, then select and record the Secret Identifier URLIn the left pane, the Current Version is selected, and is enabled. In the right pane, the copy button for the Secret Identifier URL is selected.
  7. Select Function Apps.
  8. Select MSIKeyVaultFunc-[your initials].
  9. Select Application Settings.Under Configured features, Application settings is selected.
  10. Under Application Settings, select +Add new setting.
  11. For the name, enter KeyVaultUri.
  12. For the value, copy the Secret Identifier URL you copied in this task.
  13. Scroll to the top, select Save.
  14. Select the HttpTriggerCSharp1 function.
  15. Select Run.Screenshot of the Run button.
  16. In the Output window you should see your Key Vault Secret displayed.The Output window contains the text, "HelloWorld".

About engsoon

Eng Soon is a 4-time Microsoft MVP and has nearly 5 years of experience building enterprise system in the cloud.He is also a Certified Microsoft Azure.Eng Soon also have strong technical skills and analytic skill. As a developer, Besides the development task, he also involved in Project Management, Consulting, and Marketing. He has a passion for technology and sharing what he learns with others to help enable them to learn faster and be more productive. He also took part as speaker in many nationwide technical events, such as Conference, Meetup and Workshop. Currently, looking for opportunity in Cyber Security which include Cloud Security and Application Security.

View all posts by engsoon →

Leave a Reply

Your email address will not be published. Required fields are marked *