Storing secrets in app_settings versus key vault for Azure App Service has some trade-offs. Here are some of the advantages and disadvantages of each option:

• App_settings: This option is simpler and more convenient, as you can access the secrets as regular app settings or connection strings in your application code. App settings are also securely encrypted at rest¹. However, app settings do not provide the same level of security and management as key vault. For example, app settings do not support hardware-level encryption, granular access policies, or certificate rotation². App settings are also a global resource for all your web apps, which may not be desirable if you need to isolate secrets for different regions or environments³.
• Key vault: This option is more secure and robust, as you can use key vault references to store secrets in a centralized service that provides full control over access policies and audit history¹. Key vault also supports hardware-level encryption, certificate rotation, and other advanced features⁴. However, key vault requires more configuration and permissions, as you need to create a vault, a managed identity, and an access policy for your application¹. Key vault is also a region-focused resource, which may introduce latency or availability issues if your web app and key vault are in different regions³.

In summary, app settings are a good choice for storing non-sensitive application settings, such as endpoint locations, sizing, flags, etc⁴. Key vault is a better choice for storing sensitive information, such as encryption keys, certificates, passwords, etc⁴. You can also use both options together, by creating app settings that reference secrets stored in key vault¹. This way, you can maintain secrets apart from your app’s configuration, and access them like any other app setting or connection string in your code¹.

 

1.       https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references

2.       https://stackoverflow.com/questions/67722160/what-is-the-point-of-using-azure-key-vault-instead-of-only-app-configuration

3.       https://learn.microsoft.com/en-us/azure/azure-app-configuration/faq

4.       https://learn.microsoft.com/en-us/azure/key-vault/secrets/secrets-best-practices

### Code sample for reading app settings

 

```python:

import logging

import os

import azure.functions as func

 

app = func.FunctionApp()

 

@app.function_name(name="HttpTrigger1")

@app.route(route="req")

def main(req: func.HttpRequest) -> func.HttpResponse:

    # Get the setting named 'myAppSetting'

    my_app_setting_value = os.environ["myAppSetting"]

    logging.info(f'My app setting value: {my_app_setting_value}')

    # Your other function logic goes here

    return func.HttpResponse("Function executed successfully!")

 

```

 

<a id="item-two"></a>

### Code sample for reading key vault secrets

 

```python:

# Import necessary libraries

import logging

import azure.functions as func

from azure.identity import DefaultAzureCredential

from azure.keyvault.secrets import SecretClient

 

def main(req: func.HttpRequest) -> func.HttpResponse:

    logging.info('Python HTTP trigger function processed a request.')

 

    # Initialize Azure credentials

    credentials = DefaultAzureCredential()

 

    # Create a SecretClient to interact with the Key Vault

    vault_url = "https://your-key-vault.vault.azure.net"  # Replace with your Key Vault URL

    secret_client = SecretClient(vault_url=vault_url, credential=credentials)

 

    # Retrieve the secret by name

    secret_name = 'your-secret-name'  # Replace with your secret name

    secret = secret_client.get_secret(name=secret_name)

 

    # Access the secret value

    secret_value = secret.value

 

    # You can now use the secret value in your function logic

    # For example, return it as an HTTP response

    return func.HttpResponse(f"Secret value: {secret_value}")

 

```

Make sure to replace the placeholders (your-key-vault.vault.azure.net and your-secret-name) with your actual Key Vault URL and secret name. Additionally, ensure that your Azure Function App has the necessary permissions to access the Key Vault (e.g., Reader role assignment).

Remember to include the required libraries (azure-functions, azure-keyvault-secrets, and azure-identity) in your requirements.txt file for deployment.

 

Previous articles: IaCResolutionsPart73.docx