Home > Mobile >  Do we need to do extra security (storing inside Key Vault) for our Azure Function App Settings
Do we need to do extra security (storing inside Key Vault) for our Azure Function App Settings

Time:01-27

I have developed an Azure Function using visual Studio 2019. now when i deployed the Azure Function inside Azure >> all the settings (which contain some sensitive info) inside the local.settings.json, will be added inside the ""Azure Configuration" >> "App settings"". And as indicated by the page message that those values are stored encrypted, as follow:-

enter image description here

so does this mean that there is no need to take extra steps to secure the sensitive info inside the App setting by using Azure Key Vault ? as those are already secured?

CodePudding user response:

They are secure, but users with permissions to the recourse can potentially access them with a role such as e.g. Contributor. Using a Key Vault would allow you to define access controls more precisely.

As example; Should somebody whose sole responsibility is to manage the resource have access to the secrets?

Also Key Vault allows for some other scenario's like being able to manage secrets centrally or share them across multiple resources (e.g. App Services across multiple regions). And maybe one that's often overlooked; monitoring. E.g. being able to tell 'who' accessed what key at what time.

Edit: link for adding key vault references to your app settings

CodePudding user response:

It is considered a best practice to store any secrets your application might need in a Key Vault. This way, if someone has access to the application that needs to use these secrets in the Azure portal, they would still not have access to the actual secret.

Centralizing storage of application secrets in Azure Key Vault allows you to control their distribution. Key Vault greatly reduces the chances that secrets may be accidentally leaked. When application developers use Key Vault, they no longer need to store security information in their application. Not having to store security information in applications eliminates the need to make this information part of the code. For example, an application may need to connect to a database. Instead of storing the connection string in the app's code, you can store it securely in Key Vault.

Your applications can securely access the information they need by using URIs. These URIs allow the applications to retrieve specific versions of a secret. There's no need to write custom code to protect any of the secret information stored in Key Vault.

Source: About Azure Key Vault - Why use Azure Key Vault? - Centralize application secrets

TL;DR
Do you need to use Key Vault currently? Maybe not, although still depending on how many other people have access to the Subscription / Resource Group / Function App.

Would I advise you to put your secrets in Key Vault? Yes. Especially by doing so now will get you used to working with Key Vault and get you prepared for the future.

EDIT:
For referencing secrets from Key Vault, have a look at Key Vault references. This enables your application to get the secrets from Key Vault without the need for any code change!

For documentation on how to, please see Use Key Vault references for App Service and Azure Functions.

EDIT 2:

even if we store them inside Azure key vault they can be viewed

Yes, but then only if someone has the correct role assignment. If the secret is in Application Settings, anyone with access to the Function App inside of the Azure portal can also see the secrets.

  • Related