Prerequisites

1. You will need Python installed on your machine
2. You will need to create a Team and a channel in the Team

Setting up a channel

Creating a channel

You will need to set up Teams before you create a channel, and if you have enough access, it is an easy thing to do. Once the Team is ready to use, you can either use one of the existing channel, or create a new one from the context menu.

Setting up the connector

When you have decided which channel to use, click on the three dot on the right-side of your channel name, and then click on the Connectors and then search for the connector “Incoming Webhook” and then click on the button “Add”.

The above process might take a few minutes. If you are unable to perform this, you can try using the web version of Microsoft Teams.

Use of web verstion of Microsoft Teams

The above step will add the connector to your Teams, so that you can start configuring your Webhook. Click on the Configure button.

Provide a meaningful name for your Webhook and upload an image if required. Finally click on the Create button. A unique Url will be generated for your Webhook. Copy the Url and save it somewhere, we will later add this to Azure Key Vault and use from there. Click on the Done button. Your Webhook now should be shown as configured.

Post Message Using the Connector

Setting up Azure Key Vault

Configuring the Azure Key Vault is as easy as you set up any other Azure Resource. You may get the steps required from this post or this. Add a new secret and paste the Webhook Url value you copied earlier.

Make sure that you had set up the Access Policies on your Azure Key vault.

Access Policy

Copy your Azure Key Vault name and the Secret name, we will use this in our Python function.

Setting up Python Application

Let’s set up our Python application. Create a directory msteams-webhook and create a file requirements.txt with the preceeding contents.

pymsteams[async]
azure-identity
azure-keyvault-secrets

Now run the commands below to create a virtual environment, activate the environment and then install the requirements in our environment. If you get a message like “WARNING: You are using pip version 19.2.3, however version 22.2.2 is available.”, you can upgrade pip by running the command python -m pip install --upgrade pip

py -m venv .venv
.\.venv\Scripts\activate
py -m pip install -r requirements.txt

You can learn more abou the Virtual Environment here.

Python Virtual Envrronment

Get the Secret from Azure Key Vault

Let’s create a new Python file keyvault_helper.py with the codes below.

Send Message to Teams Channel

To send a message to the Teams channel, we are going to use a package pymsteams. This has been already added to our requirements file. Let’s create a file notify_teams.py with the codes below.

As we have all the set up done, let’s create main.py file with the codes below to start sending the messages to the Teams channel.

Before you run the main file, make sure that you have logged in to the terminal using az login with the account that you had set the access policy in your azure key vault. We can also set this access policies by using a managed identity, or a service principal, so that we can use it for more production scenarios. But for this post, let’s stick with a user account.

If you get the error, VisualStudioCodeCredential: The current credential is not configured to acquire tokens for tenant or SharedTokenCacheCredential: The current credential is not configured to acquire tokens for tenant you can set the values  exclude_shared_token_cache_credential=True or exclude_visual_studio_code_credential=True when you get tokens using DefaultAzureCredential in your get_key_vault_secret function in keyvault_helper.py file.

Keyvault Error

By this time, we can hope that you will be able to get the secret from the key vault and now we can execute py .\main.py file. Once the file is executed, you should get a response in your cli as preceding.

{"version":"1.1","content":{"headers":[{"key":"Content-Type","value":["text/plain; charset=utf-8"]}]},"statusCode":200,"reasonPhrase":"OK","headers":[],"trailingHeaders":[],"requestMessage":null,"isSuccessStatusCode":true}

You should also get a message on your Teams channel.

Source Code

You can also see the codes in this repository.

About the Author

I am yet another developer who is passionate about writing and video creation. I have written more than 500 blogs on my blog. If you like this content, consider following me here,

• GitHub
• medium
• Twitter

Your turn. What do you think?

Thanks a lot for reading. Did I miss anything that you may think is needed in this article? Could you find this post useful? Kindly do not forget to share your feedback.

Kindest Regards

Sibeesh Venu

Prerequisites

I will try to make this post as simple as it can, however, a basic idea of the preceding things definitely makes things easier.

• Azure Key Vault
• Azure App Service
• Asp Net Core
• C#

Please remember that you need a valid Azure subscription. If you are looking to secure your Azure Function app settings, read my post here.

Build an Asp Net Core Web App

At thing stage, I am assuming that you already have an application, if you don’t have just create a sample application using some visual studio templates. Once the application is loaded, we can install the package “Microsoft.Extensions.Configuration.AzureKeyVault” from NuGet. As I said earlier, we will be using Azure services for this demo, we can leverage the option called ” Managed Identities” in Azure. Please be noted that if you are using any other cloud providers, the steps will be different.

Now, what is Managed Identities in Azure?

The one challenge we developers will always have is about the security and where we can save them and use them without compromising on the credentials. Azure Managed Identity will provide an identity for the resource in Azure AD and use the same to get the Azure Active Directory token. This token will be used to communicate between the services, in our cases, our Azure app service will talk to the Key Vault. The Managed Identity service is free of cost, another reason why not to use it.

There are two types of Managed Identities.

• System-assigned
• User-assigned

The System-assigned managed identity is tied to the Azure resource where you add the identity, this means that when you deleted the resource the identity will also be deleted automatically. Only some Azure resources support this identity type.

In the User-assigned identity, we can create a managed identity as a standalone Azure resource, the advantage of doing so, is that we can assign this identity to any resources we need and it is not tied to any resources. Thus, deleting a resource will not delete the identity. The preceding image explains when you can use a managed identity.

In our case, we need to get the secrets from our Key Vault and use the same in our Azure App service, thus I am going to use the System-assigned managed identity. I am sure, you know why.

Update the Appsetting

In the “appsettings.json,” we will be providing the Key vault name and that is it. No more connection string, no more client id, client secret, etc. Here is the sample setting file.

Now, let’s configure our app to use the values from the Azure Key Vault. Go to the “Program. cs” file and update the method CreateHostBuilder as follows.

As you can see that in the above code, we create an instance of “AzureServiceTokenProvider” without a connection string, and the provider will get an access token from the managed identity. Now let’s go to our Startup class and add the preceding code in the ConfigureServices method.

options.UseSqlServer(Configuration["DefaultConnection"],
            action => action.MigrationsAssembly(typeof(TenantContext).Assembly.FullName)));

That’s all. Now if you run this application you will get an error saying that “Value can not be null”. Remember that we have not created the Azure resources.

Configure Azure App Service and Azure Key Vault

Once you create your Azure Key Vault and Azure App Service, go to your Azure Key Vault and click on the secrets and add the secrets you have, in our case, a connection string. I will give the secret name “DefaultConnection” and the value as my database connection string.

An application deployed Azure App Service is automatically registered with Azure AD when the service is created. Let’s go to the identity panel of the Azure App service that you had created and enable the System-assigned managed identity.

Please be noted that once you click on the save button, the app service will be registered with Azure Active Directory and it can be granted permission to access resources protected by Azure AD. Now, get the object id from the screen and make a note of the same, as we will be using this in a while.

Now, go to the Azure Key Vault you have created and click on the “Access policies” from the left side pane, and click on the “+Add Access Policy”.

From the next screen, select the items as in the preceding image. Please be noted that you can choose the permissions that you want to set. In the “Select Principal” screen, search the item with the object id of our app service. Select the item and click save. This is how your screen may look like.

Click on the Add button. The policy will be added. Please do not forget to remember to click on the Save button from the next screen.

Do not forget to restart the Azure App Service, this is important. Now go ahead and publish your Asp Net Core application to your Azure App service. You can also use the Visual Studio Publish option or use the Azure DevOps pipeline. If you choose the second option, read my detailed article about it here.

That’s it. Well done. We now have a running application in the Azure app service, that fetches the secrets from the Azure Key Vault and uses them. But, will it work with the development environment? No, that requires a few more setups.

Secret Storage for Development Environment

Here, we are going to use a tool called Secret Manager. This tool will help us not to save any sensitive data in the application. Please be noted that the tool doesn’t encrypt the values, thus use it only for the development environment. This tool operates on project-specific configuration settings stored in your user profile. Go to your project home directory and run the preceding command to enable the Secret Storage.

dotnet user-secrets init

This will produce the output below.

Now, if you check the content of your “.csproj” file, you will see that a new property is added to the property group with GUID as value.

<UserSecretsId>cbc82397-befe-4fce-885d-d355bf89ef45</UserSecretsId>

Right-click on your project and click on the Manage User Secrets, this will show a “secret.json” file and this is where we are going to add all of our secrets, shh don’t say this to anyone. This is the location where this file is located “C:\Users\SibeeshVenu\AppData\Roaming\Microsoft\UserSecrets”. We can edit our secret.json file with the connection string, this is how your file may look like.

{
  "DefaultConnection": "yourconnectionstring"
}

Save the file, and run your application, it should work as it is. The secrets configuration source is automatically added to the development environment. Just look at the providers in the Configuration object now.

You can also add any properties via command line.

dotnet user-secrets set "AzureAd:ClientSecret" "secretvalue"

Here AzureAd is my object literal with a property ClientSecret in it. Once you run the command, you will get a response in the command line as preceding.

You can do many other things with this tool, I strongly recommend you to read this post to know more.

Conclusion

Congratulations and thanks a lot for being with me this far. We now have a complete secured application where we didn’t compromise on the credentials and secrets. Happy Coding!.

About the Author

I am yet another developer who is passionate about writing and video creation. I have written close to 500 blogs on my blog. And I upload videos on my YouTube channels Njan Oru Malayali and Sibeesh Passion. Please feel free to follow me.

• GitHub
• medium
• Twitter

Your turn. What do you think?

Thanks a lot for reading. Did I miss anything that you may think which is needed in this article? Could you find this post useful? Kindly do not forget to share your feedback.

Kindest Regards

Sibeesh Venu

Introduction

Security is something that we all are worried about, especially if your applications are in cloud. If someone is able to see the credentials or client’s data, then you lose the trust you have with your customer. I know, that no one likes it. Fortunately, every cloud providers have already provided enough options to make your application safe and secure. Here, in this post, we are going to discuss about such a feature in Microsoft Azure. I hope you have already used Azure Functions, if you have not, I strongly recommend you to see some related articles here. Here in this article, we will see how we can get the connection strings from Azure Key Vault and use it in our Azure Function instead of using it from the usual App Settings. Sounds interesting? So, let us do it.

Prerequisites

It would be great if are familiar with the preceding topics.

• Microsoft Azure
• Server less
• C#, or any other programming languages

You should have a valid Azure Subscription to follow along.

Background

As I was explaining, we are going to change the way we take the connection strings and other values in our Azure Function. Below is my Azure Function sample code.

As you can see that this function has custom binding with my service bus as it uses ServiceBusTrigger. The connection string name is ServiceBusConnectionString which we have already set in the Azure Function configuration.

You should be able to see all of your configurations and application settings once you click on the configuration tab.

Here in this post, we are going to change the value of ServiceBusConnectionString to the AzureKey Vault reference. This connection string is given by the customer, isn’t it always better to make it as secured as possible?

Configure Azure Key Vault

To get start, we should create an Azure Key Vault, please go to your Azure Portal and search with the keyword Key Vaults.

Once you had filled all the required information in the form, you can click on the create button.

If you are getting an error as shown in the image below, you should go to the Resource Provider section of your Subscription and then search for Microsoft.KeyValut and then click on register.

The key vault should be deployed in few seconds or minutes. Now you can go to your Key Vault. You can add Keys, Secrets, Certificates etc to your Key Vaults. But in this post, we are going to add a new Secret for our connection string. Click on the Secrets blade and then click on Generate/Import button. Now let us give all the details as shown in the below image.

Set Key Vault Access Policy

It is great that we have a Key Vault and secret, now we can give permission to our Azure Function application to retrieve this secrets from the Key Vault. But before you do that, you need to add a managed identity to the Azure Function.

Add a System Assigned Managed Identity to the Azure Function

To create an identity, please go to the Platform Features of your Azure Function and click on Identity.

Now let’s enable the System Assigned Identity.

Add Access Control

To give the access policy, first we should add a role assignment with contributor role for our application. Now we should also be able to add new role assignment. To do so, go to the Access Control section of your Key Vault and click on Add a role assignment blade.

Add Access Policy

Now that we have created a managed identity and a role assignment, we should be able to add the Access Polity in the Key Vault for our Azure Function. Go to your Key Vault and click on Access Policies and then click on Add new blade.

Please makes sure to use the, Object ID of the System Assigned Manged Identity that we have already created, here in the Select Principal column. This will make sure that our Azure Function has access to get the value from the Azure Key Vault.

At the end, you should have access policies as below.

Use the Key Vault Secret in Azure Function

Now that we have created our secret, and set up the access policy, we can get the secret identifier, to get this, please click on the secret you had created and then version. You should see a window as below.

The good thing is you can even provide the activation date and the expiry date. Isn’t it handy? Copy the value and then go to the configuration page of your Azure Function and then click on the app settings that you want to change, in my case the app setting with the key ServiceBusConnectionString. Now, you should see an option to edit the value there. Now you can give the value there as below.

@Microsoft.KeyVault(SecretUri=Secret URI with version)

Remember to save the changes and you get the notification as ” Successfully updated web app settings “. That’s it. Now you should be able to run your Azure Functions, the only difference is that we are getting the app settings value from the Key Vault.

By chance if you get an error as “The function runtime is unable to start. Microsoft.Azure.ServiceBus: Value for the connection string parameter name ‘@Microsoft.KeyVault“, please make sure that the right format @Microsoft.KeyVault(SecretUri=Secret URI with version) in the Value column.

Or if you get any error as “Value can not be null. Parameter name: uriString“, please make sure that you have done the Access Policy configuration correctly.

Run Azure Function

Now you can go to your Azure Functions and try to run any one of them which uses the app settings that we have configured. If everything is fine, you should be able to run the Function and should get some responses.

Conclusion

In this article, we have learned,

• About Azure Function and it’s configuration
• How to configure Azure Key Vault
• How to set Managed Identity for an Azure Function application
• How to create Role Assignments in Key Vault Access Control
• How to create Access policies for the managed identity
• How to use Azure Key vault secret in the Azure Function app settings

Please let me know what else you had learned from this Article.

Your turn. What do you think?

Thanks a lot for reading. Did I miss anything that you may think which is needed in this article? Could you find this post as useful? Kindly do not forget to share me your feedback.

Kindest Regards
Sibeesh Venu