问题
I have successfully integrated a secret in a httptrigger. I need to retrieve and parse the secret in a python code.
The following piece of code returns the vault id and not the secret.
- How do I get it to output a secret values?
- Can the same be done for a queuetrigger?
Httptrigger
import logging
import os
import azure.functions as func
def main(req: func.HttpRequest) -> func.HttpResponse:
logging.info('Python HTTP trigger function processed a request.')
test = os.environ["testkeyvault"]
return func.HttpResponse(
"This" + test,
status_code=200
)
local.settings.json
{
"IsEncrypted": false,
"Values": {
"AzureWebJobsStorage": "",
"FUNCTIONS_WORKER_RUNTIME": "python",
"testkeyvault": "@Microsoft.KeyVault(SecretUri=https://jjjjj.vault.azure.net/secrets/AzureAuthUrl/xxxxxx)"
}
}
function.json
{
"scriptFile": "__init__.py",
"bindings": [
{
"authLevel": "anonymous",
"type": "httpTrigger",
"direction": "in",
"name": "req",
"methods": [
"get",
"post"
]
},
{
"type": "http",
"direction": "out",
"name": "$return"
}
]
}
回答1:
How do I get it to output a secret values?
1, create a secret, set the value, and get the 'secret identifier', set this @Microsoft.KeyVault(SecretUri=<secret identifier>) to the settings of your function app.
2, create a function app identity, and let the function identity access have the corresponding access policy to the keyvault.
Can the same be done for a queuetrigger?
Yes, you can. Basically you can get it from the environment variable as what you do in httptrigger. The value stored in the configuration of the function app will be read as an in-app environment variable. If there is a keystore reference, as long as the reference is successful, the secret will be returned. Otherwise, the original url will be returned
回答2:
For this problem, I test it in my side. You just need to deploy your function to azure, then it will work fine. If you run your function on local, it can't get the key vault.
After you deploy the function to azure, you also need to add it to application settings of your function app.
Also do not forget enable the "Identity" of your function app.
And then add access policy in keyvault to to allow your function can access the keyvault.
By the way, it seems all of your steps are correct. So please notice all of the steps above will get the value of secret stored in my keyvault show as below screenshot. So please check if you misunderstood the feature of get keyvault in azure function.
来源:https://stackoverflow.com/questions/65067323/retrieving-keyvault-secret-integrated-in-a-httptrigger-queuetrigger-python