SiaConsulting.Azure.WebJobs.Extensions.KeyVaultExtension
0.0.2
There is a newer version of this package available.
See the version list below for details.
See the version list below for details.
dotnet add package SiaConsulting.Azure.WebJobs.Extensions.KeyVaultExtension --version 0.0.2
NuGet\Install-Package SiaConsulting.Azure.WebJobs.Extensions.KeyVaultExtension -Version 0.0.2
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="SiaConsulting.Azure.WebJobs.Extensions.KeyVaultExtension" Version="0.0.2" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add SiaConsulting.Azure.WebJobs.Extensions.KeyVaultExtension --version 0.0.2
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: SiaConsulting.Azure.WebJobs.Extensions.KeyVaultExtension, 0.0.2"
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install SiaConsulting.Azure.WebJobs.Extensions.KeyVaultExtension as a Cake Addin #addin nuget:?package=SiaConsulting.Azure.WebJobs.Extensions.KeyVaultExtension&version=0.0.2 // Install SiaConsulting.Azure.WebJobs.Extensions.KeyVaultExtension as a Cake Tool #tool nuget:?package=SiaConsulting.Azure.WebJobs.Extensions.KeyVaultExtension&version=0.0.2
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
This is a binding extension for Azure Functions
Because Security Matters
This binding extension enables Azure Functions to use Azure KeyVault to store and retrive secrets, create and retrive keys and encrypt and decrypt values.
For the future there are more capabilities planned like singin and certificates.
The extension supports output bindings and input bindings.
Important: the output binding uses transactions, this means, that the added secrets and keys will only be flushed, if the function completes successfully
Changelog
Version 0.0.2 - Encryption and Decryption
- Added
encryptionanddecryptionsupport
Version 0.0.1 - Initial project start
- Added
secretmanagement - Added
keymanagement
How to install
- Create an Function App in the portal
- Create a new Function within your function app
- Get your functions url and you masterkey
- use Postman or Curl to post the following to the extensions endpoint of your function app. If you functions url is
https://MyKeyVaultFunction.azurewebsites.net/api/HttpTrigger1?code=ABCthen your extensions endpoint ishttps://MyKeyVaultFunction.azurewebsites.net/admin/host/extensions?code=ABC{ "Id": "SiaConsulting.Azure.WebJobs.Extensions.KeyVaultExtension.Streams", "Version": "0.0.6" } - check with the returned jobid, if the job to be completed / the extension is installed
https://MyKeyVaultFunction.azurewebsites.net/admin/host/extensions/jobs/<JOBID>?code=ABC - setup your function.json with all the needed parameters
- start using the funtion
How to unsintall
There is a problem with uninstalling extensions right now, so the easiest way is to delete the functions app create a new one. If you still want to uninstall the extension, this is how to do it
- Stop the function app
- Use Azure-Portal or Azure Storage Explorer to connect to the storage account file shares of your function app
- Delete
SiaConsulting.Azure.WebJobs.Extensions.KeyVaultExtension.dllfromsite/wwwroot/bin - Edit
extensions.jsoninsite/wwwroot/binand remove theSiaConsulting.AzureWebJobs.Extensions.KeyVaultExtension-extension from the array - Edit
extensions.deps.jsoninsite/wwwroot/binand remove any occurance ofSiaConsulting.Azure.WebJobs.Extensions.KeyVaultExtension - Edit
extensions.csprojinsite/wwwrootand remove thePackageReferenceforSiaConsulting.Azure.WebJobs.Extensions.KeyVaultExtension - Start your function app
Running in Azure
This Binding Extension uses MSI to authenticate against Azure KeyVault when running in Azure
Please make sure that the MSI has all needed Access Rights
Running local
This Binding Extension needs to authenticate against Azure KeyVault when running local.
You need to create a new Service Principle and give it rights to use KeyVault:
Create new SP using Azure CLI:
az ad sp create-for-rbac --sdk-auth
Creating a role assignment under the scope of "/subscriptions/<your-subscription-id>"
Retrying role assignment creation: 1/36
{
"clientId": "<created-client-id>",
"clientSecret": "<created-client-secret>",
"subscriptionId": "<your-subscription-id>",
"tenantId": "<your-tenant-id>",
"activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
"resourceManagerEndpointUrl": "https://management.azure.com/",
"activeDirectoryGraphResourceId": "https://graph.windows.net/",
"sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
"galleryEndpointUrl": "https://gallery.azure.com/",
"managementEndpointUrl": "https://management.core.windows.net/"
}
Take your clientId, clientSecret and tenantId to create a Environment Variable to authenticate:
using bash
export AzureServicesAuthConnectionString="RunAs=App;AppId=<clientId>;TenantId=<tenantId>;AppKey=<clientSecret>"
using windows powershell/command line
setx AzureServicesAuthConnectionString "RunAs=App;AppId=<clientId>;TenantId=<tenantId>;AppKey=<clientSecret>"
After that you need to restart, VS, VSCode or any running version of the Functions-Core-Tools
Access Policy needed for MSI/SP on Azure KeyVault
| Binding Function | Mode | KeyVault Policy |
|---|---|---|
| KeyVaultSecret | In-Binding | Secret Permission Get |
| KeyVaultSecret | Out-Binding | Secret Permission Set |
| KeyVaultKeys | In-Binding | Key Permission Get |
| KeyVaultKeys | Out-Binding | Key Permission Create |
| KeyVaultEncrption | CreateKeyIfExists = false | Key Permission Encrypt |
| KeyVaultEncrption | CreateKeyIfExists = true | Key Permission Encrypt, Create |
| KeyVaultDecrption | CreateKeyIfExists = false | Key Permission Decrypt |
| KeyVaultDecrption | CreateKeyIfExists = true | Key Permission Decrypt, Create |
Features and examples:
- Secrets
- Keys
- Encryption
- Decryption
- Signing
- Certificates
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net5.0 was computed. net5.0-windows was computed. net6.0 was computed. net6.0-android was computed. net6.0-ios was computed. net6.0-maccatalyst was computed. net6.0-macos was computed. net6.0-tvos was computed. net6.0-windows was computed. net7.0 was computed. net7.0-android was computed. net7.0-ios was computed. net7.0-maccatalyst was computed. net7.0-macos was computed. net7.0-tvos was computed. net7.0-windows was computed. net8.0 was computed. net8.0-android was computed. net8.0-browser was computed. net8.0-ios was computed. net8.0-maccatalyst was computed. net8.0-macos was computed. net8.0-tvos was computed. net8.0-windows was computed. |
| .NET Core | netcoreapp3.0 was computed. netcoreapp3.1 was computed. |
| .NET Standard | netstandard2.1 is compatible. |
| MonoAndroid | monoandroid was computed. |
| MonoMac | monomac was computed. |
| MonoTouch | monotouch was computed. |
| Tizen | tizen60 was computed. |
| Xamarin.iOS | xamarinios was computed. |
| Xamarin.Mac | xamarinmac was computed. |
| Xamarin.TVOS | xamarintvos was computed. |
| Xamarin.WatchOS | xamarinwatchos was computed. |
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.
-
.NETStandard 2.1
- Microsoft.Azure.KeyVault (>= 3.0.4)
- Microsoft.Azure.Services.AppAuthentication (>= 1.3.1)
- Microsoft.Azure.WebJobs (>= 3.0.14)
- Microsoft.CSharp (>= 4.7.0)
NuGet packages
This package is not used by any NuGet packages.
GitHub repositories
This package is not used by any popular GitHub repositories.