DISCLAIMER: This post is purely a personal opinion, not representing or affiliating my employer's.
I wrote a post quite a while ago, which discussed how to directly access to Azure Key Vault from Logic Apps. It's easy to build while it's only limited to Logic Apps. In another post, we discuss how to directly access to Key Vault from Azure Functions. Then what if we can access to Key Vault from Logic Apps, through Azure Functions? If we can do this, it could be more useful. Throughout this post, I'm going to build a custom connector for Logic Apps, using Azure Functions.
The sample codes used here in this post can be found at here.
Posts worth Reading
If you haven't read the series of my previous posts, please have a look. This is based on those posts.
- Accessing Key Vault from Logic App with Managed Identity
- Accessing Key Vault from Azure Functions with Managed Identity
- AutoMapper Dependency Injection into Azure Functions
- Rendering Swagger Definitions through Azure Functions V2
Writing ARM Templates
First of all, we need to write several ARM templates. These are Azure resources we need to use at least.
- Azure Storage Account
- Azure Key Vault
- Consumption Plan
- Azure Functions
- Azure Custom API Connector
- Azure API Connection
These are optional.
As it takes time to deploy all of above, this master template gives the one go.
NOTE: If you are not familiar with ARM templates written in YAML, please have a look at this post.
Instead of running the master template, just simply click the button below and it will open up Azure Portal to deploy all the resources.
Now, we've got all the Azure resources ready. Let's move on.
Deploying Azure Functions Application
From the repository, deploy the Azure Functions application to the instance. From the previous step, if ARM templates have run properly, we should be able to check the Managed Identity feature enabled by identifying the Object ID
value from the Portal.
Confirming Access Policies from Azure Key Vault
Let's have a look at the access policies properly set up. Once the ARM templates have been properly deployed, all the policies should be set up.
Configuring Logic App Custom Connector
The custom connector ARM template should already defined Open API definition. But, in case that Swagger document has been updated, this update can be imported like below. This post shows how to get Swagger definitions from the Azure Functions instance.
Authenticating API Connection
In order to use the custom connector from Logic App, we need to authenticate the API connection. Although each endpoint uses its own access key, it would be efficient using the host key for the API connection so that all endpoints can be accessible through the API connection.
Now, all setup is done. Run the Logic App test harness to get the secrets from Key Vault through Azure Functions.
All good!
So far, we have built a Logic App custom connector to access to Key Vault through Azure Functions. Now we have two options for Logic Apps to access to Key Vault – another Logic App or custom connector. The choice is yours.