gitsecurityazure-functions

How to properly handle secrets in a local.settings.json file when adding the function source code to a source control repository


I have an Azure function with a few secrets in its local.settings.json file.

What are the best practices when I want to share the source code of my function in GitHub?

So far I can think of the following options, but each option has some issues or challenges:

1- Remember to change the secrets in local.settings.json anytime I commit my changes. Once the commit is done, undo changes, so I can run the function and debug it. This option is very error-prone and tedious.

2- Add local.settings.json to the .gitignore file. With this approach, people who get the code from GitHub need to remember to restore the local.settings.json

3- Store the secrets in Azure Key Vault. But this is too much for such little function that I am creating.

I wanted to ask here what are the best practices how to handle the secrets in local.settings.json in a source control repository.


Solution

  • As described here, you can add another config file (secret.settings.json) for your secrets.

    {
        "ConnectionStrings": {
            "SqlConnectionString": "server=myddatabaseserver;user=tom;password=123;"
        },
        "MyCustomStringSetting": "Override Some Name",
        "MailSettings": {
            "PrivateKey": "xYasdf5678asjifSDFGhasn1234sDGFHg"
        }
    }
    

    Add your new settings file to the .gitignore. Then remove local.settings.json from the .gitignore and redact any secret values.

    {
        "IsEncrypted": false,
        "Values": {
            "AzureWebJobsStorage": "UseDevelopmentStorage=true",
            "FUNCTIONS_WORKER_RUNTIME": "dotnet"
        },
        "ConnectionStrings": {
            "SqlConnectionString": "--SECRET--"
        },
        "MyCustomStringSetting": "Some Name",
        "MyCustomNumberSetting": 123,
        "MailSettings": {
            "FromAddress": "local-testing123@email.com",
            "ToAddress": "receiver@email.com",
            "MailServer": "smtp.mymailserver.com",
            "PrivateKey": "--SECRET--"
        }
    }
    

    Then make sure that your extra config file is included.

    var config = new ConfigurationBuilder()
        .SetBasePath(context.FunctionAppDirectory)
        .AddJsonFile("local.settings.json", optional: true, reloadOnChange: true)
        .AddJsonFile("secret.settings.json", optional: true, reloadOnChange: true)
        .AddEnvironmentVariables()
        .Build();
    

    With this technique, at least all settings are being tracked in source control. Any secret values are safely redacted.