Managed Identity — Accessing Key Vault secrets from Logic App & Function
With the increasing awareness and focus on improving security in integration implementation, there are initiatives to removing the needs for storing passwords in any implementation. Azure managed identity is one such initiative that enables most of the azure integration services communicate with each other with the help of managed identity. This eliminates the need to use/store passwords in the integration implementation.
There are scenarios where integrations built using Logic apps and function app may need to read secrets from the key vault. Here are some ways how you can read key vault secrets from key vault using managed identity
As a prerequisite, logic app or function identity should be added necessary roles/policies.
If RBAC key vault is used, key vault secret reader role should be assigned
If Access policy key vault is used, an access policy to list and read secrets should be created and assigned
Logic Apps standard/Azure Function — Reading from Configuration:
Logic app standard is built using Azure function runtime. This makes it easy to create multiple workflows within a single logic app. This also provides the ability to have app settings at the logic app level which all workflows can access by creating parameters.
Configurations currently supports reading secrets from key vault using managed identity.
@Microsoft.KeyVault(VaultName=<key Vault name>;SecretName=<secret name>)
From logic apps workflows, a parameter is created and read from the config value.
@appsettings('configName')
Other option is to use the key vault connector. But currently Service Principal authentication is the only option available with Logic App standard.
Azure Functions — Reading from code implementation:
If there is a requirement to pass the secret name dynamically, reading from configuration may not work. To solve that requirement, a code implementation can be done.
Here is an example java code to achieve the managed identity using code implementation.
POM File Dependency:
<dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>azure</artifactId>
<version>1.23.0</version>
</dependency>
Code snippet:
import com.microsoft.azure.AzureEnvironment;
import com.microsoft.azure.management.Azure;
import com.microsoft.azure.management.keyvault.Vault
//...
Azure azure = Azure.authenticate(new AppServiceMSICredentials(AzureEnvironment.AZURE))
.withSubscription(subscriptionId);
Vault myKeyVault = azure.vaults().getByResourceGroup(resourceGroup, keyvaultName);
Managed identities — Azure App Service | Microsoft Docs provides code samples for other programming languages as well.
Logic Apps consumption:
Reading secrets using key vault connector — Managed identity
In addition to the service principal option with the key vault connector, managed identity is supported and it is still in preview. To achieve this identity should be enabled for the logic apps consumption. This connector then uses Logic apps identity and read the secrets from key vault
Conclusion:
As you can see, Logic apps and Functions can use Managed identity to read secrets from key vault without the need to have any credentials used. Azure Functions and Logic apps can also connect to a suite of other azure services using managed identity such as Azure SQL, Azure Storage, Azure Service Bus etc. This is a great path to achieve password-less authentication.