Search code examples
azure-functionsazure-pipelinesazure-keyvaultclient-certificatesazure-app-service-envrmnt

How do I use a Public Key Certificate that is stored in Key Vault in an Azure Service Environment and configure this from the DevOps Pipeline?

When connecting to an API from an Azure Function or Web App I can upload the public key certificate (.cer file) to the LocalMachine store of the App and add the thumbprints to the configuration using the key "WEBSITE_LOAD_ROOT_CERTIFICATES". When doing this with a self signed certitifcate for an internal organisational API I usually have to specify the Root and Intermediate thumbrints and upload the Root and Intermediate certificate to the Function App.

I like the idea of having the organisational self signed certificates stored in Key Vault so the API that is secured can use the certificate and the consumers of the API can just grab the public key during their deployment.

Is there a way to store these certificates in KeyVault, reference them from an Azure Function (or equivalent) so that I do not have to manually load the certificates and associate them with the HttpClient using code? I like simplicity of using the "WEBSITE_LOAD_ROOT_CERTIFICATES" configuration key.

I would like to configure this in the Azure Devops Pipeline.

Solution

  • How do I use a Public Key Certificate that is stored in Key Vault in an Azure Service Environment and configure this from the DevOps Pipeline?

    First create a Azure Key Vault and provide the required access policies to retrieve the Secrets or Certificates.

    For this , we need Service Principal.

    Create Service Principal using the Azure CLI command.

    az ad sp create-for-rbac --name MyServicePrincipal --role Contributor --scopes /subscriptions/YourSubscriptionID/resourceGroups/YourRGName/Providers/Microsoft.KeyVault/vaults/YourKeyVaultName

    Next Provide the Access Policies.

    enter image description here

    • Under Certificate permissions, select the operation based on your requirement.

    enter image description here

    • Select the Service Principal which you have created and continue with next steps to Create an access policy.

    Is there a way to store these certificates in KeyVault, reference them from an Azure Function (or equivalent)

    Yes, we can use Azure Functions to retrieve the Certificate from Key Vault.

    Install the NuGet packages.

    Azure.Security.KeyVault.Secrets
Microsoft.Azure.Services.AppAuthentication

    configure this from the DevOps Pipeline?

    We can use the Azure CLI or Powershell command in the Azure Pipelines to get the Certificate.

    Use Get-AzKeyVaultCertificate, in the Pipeline.

    -  task:  AzureKVCertificates@5 
  inputs:  
  azureSubscription:  <azure-subscription-name>  
  ScriptType:  InlineScript  
  Inline:  | 
  Get-AzKeyVaultCertificate -VaultName KVName -Name CertificateName

    OR

    We can use WEBSITE_LOAD_CERTIFICATES by providing the thumbprint values.

    References taken from MSDoc and retrieve Azure Key Vault Secrets using Azure Functions