General availability: Updates to secrets configuration options in App Service and Azure Functions
Published date: 07 July, 2021
Key Vault references now offer expanded networking support on both Windows and Linux, as well the ability to designate a user-assigned identity. We are also enabling apps to access their content package from blob storage using the app identity.
Key Vault references allow the app to use a managed identity to resolve secrets from Azure Key Vault and expose them as environment variables. This allows teams to easily move secrets into management without code changes. A previous announcement added the ability for Windows apps to use virtual network integrations when resolving secrets from Key Vault. The same support is now available to Linux apps, and the restrictions have been lifted for using networking integration and autorotation together.
Key Vault references have historically relied on the app's system-assigned identity. With today's update, apps can specify a user-assigned identity to instead be used for accessing their secrets. This greatly simplifies certain automation workflows, as the identity can be created and assigned permission to the vault before the app itself is created.
While these features make secrets management much simpler, it is often preferable to remove the secrets entirely from your workflow, instead relying on identity directly. Apps using run-from-package support have been able to leverage a shared access signature (SAS), which offers many advantages over a secret but still requires some management. Today, we are enabling apps to instead simply use a managed identity, providing that the app has been granted access to the storage account.
Along similar lines, apps should look to leverage the latest Azure SDK client libraries, which will help you connect to Azure services using an identity from your application code. For Azure Functions, we recently announced preview identity-based connection support, which allows system-assigned or user-assigned identities to be used the Functions runtime, triggers, and bindings.