Currently the most asked feature on UserVoice for Azure Function is integration of Azure Key vault. Unfortunately this is not yet available out of the box. In addition the solutions that are suggested are not very integrative as they do not support AutoResolve properties or can not be used for connection strings on trigger or bindings.

Welcome Willezone.Azure.WebJobs.Extensions.AzureKeyVault!

Since the configuration in Azure Function v2 relies on the Microsoft.Extensions.Configuration package we are able to actually extend this to also support Azure Key Vault. In order to integrate the Azure Key Vault configuration provider we need to use the existing IConfiguration and extend it with provider. After that the configuration instance must be replaced in the Service Provider.

static IWebJobsBuilder AddAzureKeyVault(this IWebJobsBuilder builder, 
    Func<ConfigurationBuilder, IKeyVaultClient> configure)
{
    var configurationBuilder = new ConfigurationBuilder();
    var descriptor = builder.Services.FirstOrDefault(d => d.ServiceType == typeof(IConfiguration));
    if (descriptor?.ImplementationInstance is IConfigurationRoot configuration)
    {
        configurationBuilder.AddConfiguration(configuration);
    }

    configurationBuilder.AddAzureKeyVault(....);

    var config = configurationBuilder.Build();
    builder.Services.Replace(ServiceDescriptor.Singleton(typeof(IConfiguration), config));
    return builder;
}

How to configure

Once the package is added to the function project, a WebJobsStartup class is needed to register and configure the extension.

This is an example WebJobsStartup class

using ExampleFunction;
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Hosting;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Willezone.Azure.WebJobs.Extensions.AzureKeyVault;

[assembly: WebJobsStartup(typeof(Startup))]
namespace ExampleFunction
{
    public class Startup : IWebJobsStartup
    {
        public void Configure(IWebJobsBuilder builder)
        {
            // Create temporary service provider to access configuration.
            var tempProvider = builder.Services.BuildServiceProvider();
            var config = tempProvider.GetRequiredService<IConfiguration>();
            builder.AddAzureKeyVault(config["AzureKeyVault_Uri"]);
        }
    }
}

Access to Azure Key Vault is possible either via client id & secret or using Managed Service Identity!

Using the extension

Once the extension is registered and configured Azure Key Vault will also be used to get values for AutoResolve or AppSettings properties. In addition we can use the AzureKeyVaultClient binding to get the KeyVaultClient for advanced usage.

Example

[FunctionName("Function1")]
public static void Run(
    [BlobTrigger("%blobpath%", Connection = "storageconnection")]Stream myBlob,
    string name,
    ILogger log,
    [AzureKeyVaultClient]IKeyVaultClient client)
{
    log.LogInformation($"API Version: {client.ApiVersion}");
    log.LogInformation($"C# Blob trigger function Processed blob\n Name:{name}");
}

In this example the values for blobpath and storageconnection are now also pulled from Azure KeyVault, if there are no values present in the normal config. The AzureKeyVaultClient Attributes binds an instance of an IKeyVaultClient into the function for advanced usage.

Package & Source

The package is available on Nuget and the source for this can be found on Github. Feel free to fork it or open issues!