In my previous post, I explained How to retrieve Azure Key Vault Secrets using Azure Functions, where you can understand Key Vault URL and the Secret name to retrieve a secret generically, you could use it inside all your Logic App Standard workflows, whether they use the same Key Vault resource or different ones.
This approach will fill in the gap of the unavailability of a built-in Key Vault connector on Logic App Standard, especially if you want to use VNET support. However, this first approach has a disadvantage, in my opinion. It can always retrieve one secret per execution. You must add four actions if you need to Get four secrets inside your Logic App Standard workflow! It implies that our workflow gets a little big/large depending on the number of secrets we have to get. We also know that, at the moment, the more actions our workflow has, the slower the Logic App Designer will be.
So, to:
- Improve Logic App Designer performance (independent of whether you are using Visual Studio Code for Logic App Standard or Visual Studio for Logic App Consumption)
- Improve workflow performance – fewer HTTP Calls
- Reduce the size of your Logic Apps business process.
We can create an Azure Function to retrieve all the necessary Secrets from the Key Vault.
How to retrieve all the necessary Azure Key Vault Secrets using Azure Functions?
Similar to the previous sample, we would be creating an Azure Function that receives a JSON payload with the Key Vault URL, but this time, instead of a Secret name, we will receive a list of secret names to be retrieved. Once again, this function is written to be a generic Azure Function that we could reuse in all our Logic App Standard, whether they use the same Key Vault resource or different ones. The payload will be something like this:
{ "KeyVaultUrl":"https://<vault-name>.vault.azure.net/", "SecretNames":[ {"SecretName":"<secret-name-1>"}, {"SecretName":"<secret-name-2>"}, {"SecretName":"<secret-name-3>"} ] }
You can continuously develop your Azure Function using the Azure Portal or Visual Studio Code. Nevertheless, we will use Visual Studio 2022, and a C# HTTP triggered .NET 6.0 function in this sample.
To be able to compile, you need to use the following NuGet packages:
- Azure.Identity (1.6.0)
- Azure.Security.KeyVault.Secrets (4.3.0)
[FunctionName("GetKeyVaultSecrets")] public static async Task<IActionResult> Run( [HttpTrigger(AuthorizationLevel.Function, "post", Route = null)] HttpRequest req, ILogger log) { log.LogInformation("C# HTTP trigger function processed a request."); string requestBody = new StreamReader(req.Body).ReadToEnd(); SecretsRequest data = JsonConvert.DeserializeObject<SecretsRequest>(requestBody); // Create a new secret client using the default credential from Azure.Identity using environment variables previously set, // including AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID. var client = new SecretClient(vaultUri: new Uri(data.KeyVaultUrl), credential: new DefaultAzureCredential()); KeyVaultSecret secret; var response = new JObject(); foreach (SecretNamesRequest kvSecret in data.SecretNames) { // Retrieve a secret using the secret client. secret = client.GetSecret(kvSecret.SecretName); response.Add(new JProperty(kvSecret.SecretName, secret.Value)); } return new JsonResult(response); }
{ "<secret-name-1>": "<secret-value-1>", "<secret-name-2>": "<secret-value-2>", "<secret-name-3>": "<secret-value-3>" }
You can now use this Azure Function that you need to publish into a Function App resource in your Landing Zone protected by VNET to access all your private Key Vaults. You can even use this Azure Function inside your Logic App Standard workflows.
Enjoy it!