How do I use a Public Key Certificate that is stored in Key Vault in an Azure Service Environment and configure this from the DevOps Pipeline?
When connecting to an API from an Azure Function or Web App I can upload the public key certificate (.cer file) to the LocalMachine store of the App and add the thumbprints to the configuration using the key "WEBSITE_LOAD_ROOT_CERTIFICATES". When doing this with a self signed certitifcate for an internal organisational API I usually have to specify the Root and Intermediate thumbrints and upload the Root and Intermediate certificate to the Function App.
I like the idea of having the organisational self signed certificates stored in Key Vault so the API that is secured can use the certificate and the consumers of the API can just grab the public key during their deployment.
Is there a way to store these certificates in KeyVault, reference them from an Azure Function (or equivalent) so that I do not have to manually load the certificates and associate them with the HttpClient using code? I like simplicity of using the "WEBSITE_LOAD_ROOT_CERTIFICATES" configuration key.
I would like to configure this in the Azure Devops Pipeline.
How do I use a Public Key Certificate that is stored in Key Vault in an Azure Service Environment and configure this from the DevOps Pipeline?
First create a Azure Key Vault and provide the required access policies to retrieve the Secrets or Certificates.
For this , we need Service Principal.
Create Service Principal using the Azure CLI command.
az ad sp create-for-rbac --name MyServicePrincipal --role Contributor --scopes /subscriptions/YourSubscriptionID/resourceGroups/YourRGName/Providers/Microsoft.KeyVault/vaults/YourKeyVaultName
Next Provide the Access Policies.
- Under
Certificate permissions, select the operation based on your requirement.
- Select the
Service Principalwhich you have created and continue with next steps toCreate an access policy.
Is there a way to store these certificates in KeyVault, reference them from an Azure Function (or equivalent)
Yes, we can use Azure Functions to retrieve the Certificate from Key Vault.
Install the NuGet packages.
Azure.Security.KeyVault.Secrets
Microsoft.Azure.Services.AppAuthentication
configure this from the DevOps Pipeline?
We can use the Azure CLI or Powershell command in the Azure Pipelines to get the Certificate.
Use Get-AzKeyVaultCertificate, in the Pipeline.
- task: AzureKVCertificates@5
inputs:
azureSubscription: <azure-subscription-name>
ScriptType: InlineScript
Inline: |
Get-AzKeyVaultCertificate -VaultName KVName -Name CertificateName
OR
We can use WEBSITE_LOAD_CERTIFICATES by providing the thumbprint values.
References taken from MSDoc and retrieve Azure Key Vault Secrets using Azure Functions
- create azure functionapp from docker image via cli
- Azure functions in Python - "Duplex option is required" error
- Binding expression to read folder from config section?
- Azure "easy auth" OpenID Connect scope
- Azure Function App - No continuous deployment setting for "Flex Consumption" hosting plan?
- How to configure Azure pipeline approval check to deploy to Azure function apps?
- az funcapp publish .net8 Isolated breaking Azure configuration runtime settings on Sync
- Azure SignalR: None of the transports supported by the client are supported by the server
- Azure Function v2 Python deployed functions are not showing
- Azure Service Plan - Convert Consumption App to Premium App
- Getting exception "Cannot dynamically create an instance of type 'Microsoft.Azure.Functions.Worker.Http.HttpRequestData'." in Azure function
- CS:0021 Error code in Azure Function project in VS for running Microsoft Graph API with Azure Functions
- Azure Blob:- How to automate Azure Archive Storage to Cool/Hot tier conversion, send download link once it's avaible , and re-archive after 72 hours?
- .NET 8 (isolated worker model) PUT/POST methods have null body
- logs not appearing in Application Insights for Azure Functions v4 with .NET 8
- Override Azure Functions Environment in Azure Kubernetes Service
- Azure Function App - frequent hang and deadlocks
- Azure Function running locally but not in Azure
- Azure function fails Value cannot be null. Parameter name: value
- Using Google.Cloud.BigQuery.V2 API in Azure Functions
- Azure Functions no job found (python)
- Is it possible to read File from same folder where Azure function exists
- port 7071 is unavailable. Close the process using that port, or specify another port using --port [-p]
- azure function app (python) - How to check package versions in function app
- Azure Function on consumption plan cold start can be up to 30 minutes
- No job functions found. Try making your job classes and methods public
- Is GetConnectionStringOrSetting deprecated? What is the best replacement?
- Array properties not mapped/deserialized when deserializing JSON
- Exception: AttributeError: Anonymous when starting a basic function app
- EventHubTrigger C# with eventData object does not work