I was working with account keys, SAS and passwords in my current project and was thinking about how to store them securely. Now the obvious answer was to use the amazing Key Vault, but was worried about the boilerplate code, I need to write, to extract secrets from Key Vault.

Fortunately, Microsoft has made our life easier :)

Now you can retrieve secrets without using any code. You might have a scenario, where you have an Azure function and you want to send some information to a blob storage using the function. You will need an account Key or SAS to access Blob storage.

Account keys and SAS are sensitive information and they are obvious candidates to be stored in Key Vault.

Here is the flow diagram as to how to do it. I will explain step by step, how to access Key vault in Azure functions(or App service). Assuming you have a function and Key Vault, I will just retrieve a simple secret and print it out in function.

) Create a secret in KeyVault and get its url:

Go to Secrets and click on Generate/import:

Enter a valid name for secret along with Secret value and click Create. Optionally, you can set the expiration date. This option is particularly useful, if you have an SAS token in secret which will expire after a fixed time. Key Vault will remind you that the SAS key is about to expire and you need to generate a new one.

Go to the secret and get the secret identifier (url) for the secret as below:

2.) Add secret identifier in your function or web app's application setting

Go to your function’s app settings and add a new app setting, Key with value as the below:

@Microsoft.KeyVault(SecretUri=Your_secret_uri)