In almost every Azure Tenant I use, I have one Azure Function App that helps me to be more productive. Since the first day of the introduction Azure Functions, I used them to
automate different tasks. Over the time, the collection of functions became quite big and I would love to share them with you so you can benefit from them as well 🙂

Table of Contents

  1. Setup the Environment
  2. Functions

This is the first part of many to come!

Disclaimer:
PowerShell for Azure Functions is not officially supported by Microsoft yet, it’s still in preview (v2). Azure Functions is available in two major versions, v1 and v2. PowerShell is available in both, but v2 offers much more capabilities, is more modular and is also the version that will be supported in the future. Azure Function v1 with PowerShell will officially never leave the experimental stage.

Setup the Environment

First things first, setting up the Function App.

I’d recommend to create a new Resource Group just for automation purposes - If you already have one dedicated to this, great, just use that one!

Create Function AppCreate Function App

Afterwards, we need to create the Managed Identity.
Navigate to the Platform features and click Identity.

Managed IdentityManaged Identity

Managed IdentityManaged Identity

This creates an managed identity within the Azure AD of your tenant, also Known as App registration or Enterprise Application.
Depending on your permissions and/or the scope you intend to use the Azure Function, you now can set the permissions of the managed identity to your
desired subscription, resource group, key vault or any other resource that support Azure RBAC.

Now we are ready to start!

If you want to learn more about Azure Functions, check out the links below:
Azure Functions Introduction
Azure Functions PowerShell
Azure Functions PowerShell Developer Guide

Functions

This section is dedicated to the functions I wrote. In this post, I will focus on functions for accessing and managing Azure KeyVault.
In general, I write all functions to interact directly with the Azure APIs.

Wait a second Christoph, why don’t you just use the Azure PowerShell az Module instead?

Great question, I’m so glad you asked!

Generally, this would work of course - just add the module to the Function App and you’re golden. But if you want your function to be as fast as possible - and this should be the goal for serverless computing - use the Azure REST-API directly. This takes away the overhead produced by the Azure cmdlets and will boost the performance tremendously!
Besides that, the management of adding and updating modules in Azure Functions is not the most pleasant experience.

Ok, lets get to the functions!

There are different ways to create a function in a function app. You can create a Function in the Azure Portal, you can use the excellent Visual Studio Code extension or you can just use the Azure Functions Core Tools and any editor you are familiar with. The Azure portal is the least fluent development experience, but it is sill improving. In a later post, we will give you an example for deployment via CI/CD-Pipeline using Azure DevOps and an introduction to Azure Functions Core Tools.

Key Vault has actually two different APIs - one for the management portion and one for accessing data (aka. dataplane API).
We’re focussing on the dataplane API since we want to mange secrets.

All Functions are available in my Github repo AzureMaintenanceFunctions.

The function GetKeyVaultSecrets retrieves all secret in the specified KeyVault:

run.ps1link
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
<#
.SYNOPSIS
Recieve all secrets from a specific Azure Key Vault.
.DESCRIPTION
Recieve all secrets from a specific Azure Key Vault.
.PARAMETER vaultName
Specifies the name of the Azure Key Vault you wnat to recieve secrets from.
Mandatory
.EXAMPLE
Invoke-RestMethod -Method Get -Uri 'https://<functionName>.azurewebsites.net/api/GetVaultSecrets?vaultName=[vaultName]code=[token]'
#>

using namespace System.Net

param($Request, $TriggerMetadata)

$vaultName = $Request.Query.vaultName

# Acquire Access Token
$apiVersion = '2017-09-01'
$resourceURI = 'https://vault.azure.net'
$tokenAuthURI = $env:MSI_ENDPOINT + "?resource=$resourceURI&api-version=$apiVersion"
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"Secret" = "$env:MSI_SECRET" } -Uri $tokenAuthURI
$authHeader = @{Authorization = "Bearer $($tokenResponse.access_token)" }

$param = @{
'Uri' = "https://$vaultName.vault.azure.net/secrets?api-version=7.0"
'Method' = 'Get'
'Header' = $authHeader
'ErrorAction' = 'Stop'
'ContentType' = 'application/json'
}

try {
$response = Invoke-RestMethod @param
$status = 200
} catch {
$status = 500
$response = @{
'value' = $_.Exception.Message
}
}

[System.Collections.ArrayList]$arr = @()
if ($status -eq 200) {
foreach ($secret in $($response.Value)) {
$name = $secret.id -replace "https://$vaultName.vault.azure.net/secrets/"

Add-Member -MemberType NoteProperty -Name 'Name' -Value $name -InputObject $secret
$arr.Add($secret) | Out-Null
}
}

Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = $status
Body = (Convertto-json -inputObject $arr -depth 10 -compress)
})

You can apply the name of your KeyVault by adding the parameter to the Function URI:

1
$response = Invoke-RestMethod -Method 'GET' -Uri 'https://[functionName].azurewebsites.net/api/GetVaultSecrets?vaultName=[vaultName]code=[token]'

When the Manged Identity of the Function has permission to list secrets in the specified KeyVault, all of them will be casted into the $response variable.

To actually retrieve the secret, you have to use the Function GetKeyVaultSecret.

1
$response = Invoke-RestMethod -Method 'GET' -Uri 'https://[functionName].azurewebsites.net/api/GetVaultSecrets?vaultName=[vaultName]&secretName=[secretName]&code=[token]'

You can specify the version of the secret as well, if you need it:

1
$response = Invoke-RestMethod -Method 'GET' -Uri 'https://[functionName].azurewebsites.net/api/GetVaultSecrets?vaultName=[vaultName]&secretName=[secretName]&secretVersion=[secretVersion]&code=[token]'

You can list all versions using the GetKeyVaultSecretVersion Function.

Retrieving secrets is great, but we also want to create or change some.

The Function SetKeyVaultSecret is dedicated to this.

1
2
3
4
5
6
7
$param = @{
"secretValue" = "secretValue",
"vaultName" = "vaultName",
"secretName" = "secretName"
}

$response = Invoke-RestMethod -Method 'POST' -Uri 'https://<functionName>.azurewebsites.net/api/GetVaultSecrets?code=[token]' -Body (ConvertTo-Json -InputObject $param)

If the secret with the specified name does not exists yet, a new secret will be created - if it’s already there, a new version will be applied.

This concludes the first part - in future posts I will get into more details of the design of the functions, how the authentication works and some bits and bobs a I learned over the time.