Skip to main content
Version: v1.9.0

Using secret store within Azure Functions

This separate documentation section explains how the Arcus secret store can be used within Azure Functions environments (both in-process and isolated).

Using secret store within in-process Azure Functionsโ€‹

To more easily configure the secret store, we provided a dedicated package that builds on top of the IFunctionsHostBuilder:

Installationโ€‹

For this feature, the following package needs to be installed:

PM > Install-Package Arcus.Security.AzureFunctions

Usageโ€‹

The secret stores are configured during the initial application build-up in the Startup.cs:

using Microsoft.Azure.Functions.Extensions.DependencyInjection;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;

[assembly: FunctionsStartup(typeof(Startup))]

namespace MyHttpAzureFunction
{
    public class Startup : FunctionsStartup
    {
        public override void Configure(IFunctionsHostBuilder builder)
        {
            builder.ConfigureSecretStore((FunctionsHostBuilderContext context, IConfiguration config, SecretStoreBuilder stores) =>
            {
                var keyVaultName = config["KeyVault_Name"];
                stores.AddEnvironmentVariables()
                      .AddAzureKeyVaultWithManagedIdentity($"https://{keyVaultName}.vault.azure.net");
            })
        }
    }
}

Once the secret providers are defined, the ISecretProvider can be used as any other registered service:

using Arcus.Security.Core;

namespace Application
{
    public class MyHttpTrigger
    {
        public MyHttpTrigger(ISecretProvider secretProvider)
        {
        }

        [FunctionName("MyHttpTrigger")]
        public async Task<IActionResult> Run(
            [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req,
            ILogger log)
        {
            return new OkObjectResult("Response from function with injected dependencies.");
        }
    }
}

Using secret store within isolated Azure Functionsโ€‹

Since isolated Azure Functions are built with the default HostBuilder, the general secret store packages can be used in this environment. No need to install the dedicated Arcus.Security.AzureFunctions package.

Usageโ€‹

Using the available extensions on the HostBuilder or IServiceCollection, the secret store can be added, just like a Web API or console application.

var host = new HostBuilder()
    .ConfigureFunctionsWorkerDefaults(builder =>
    {
        
    })
   .ConfigureSecretStore((context, config, stores) =>
   {
        builder.AddEnvironmentVariables()
               .AddAzureKeyVaultWithManagedIdentity($"https://{keyVaultName}.vault.azure.net");
   })
    .Build();

Once the secret providers are defined, the ISecretProvider can be used as any other registered service:

using Arcus.Security.Core;

namespace Application
{
    public class MyHttpTrigger
    {
        public MyHttpTrigger(ISecretProvider secretProvider)
        {
        }

        [Function("MyHttpTrigger")]
        public HttpResponseData Run(
            [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequestData req,
            ILogger log)
        {
            var response = req.CreateResponse(HttpStatusCode.OK);
            return response;
        }
    }
}