Azure functions - where to store configuration values

Question

Apologies if this is a stupid question, but is settings > configuration the correct place to store environment specific values for an azure function?

e.g. When connecting to microsoft.graph, the following are required:

1. Tenant Id
2. Client Id
3. Client Secret

Is it correct to store the client id & tenant id in settings > configuration, and then store the secret in a key vault?

Answer 1

but is settings > configuration the correct place to store environment specific values for an azure function?

Yes, you can store environment values in App Configuration.

Is it correct to store the client id & tenant id in settings > configuration, and then store the secret in a key vault?

Yes, but Azure App Configuration won't access your key vault, Because your app will read straight from Key Vault, you must allow it read access to the secrets in your key vault. This ensures that the secret remains with your app at all times. The access can be granted using either a Key Vault access policy or Azure role-based access control.

REFERENCES:

1. Grant your app access to Key Vault
2. How Azure Key Vault is Different to Azure App Configuration

Answer 2

Azure Key Vault is the better place to store the Tenant Ids, Client Ids and Secrets because it contains direct values and it can be seen by other users who have access to this function app.

If you store the confidential values in Key Vault, you can manage the users who can access it and who cannot by giving the Identity to the KeyVault.

But in Azure Function App > Configuration, You can give the value of the client secret like below:

@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)

where the client secret is stored in your key vault > secrets path

Answer 3

It is ok to use setting for storing keys. You can use Key Vault if you want to share secrets with other services.

About app settings

Key Vault usage

Answer 4

Yes, it is.

Connection strings, environment variables, and other application settings are defined separately for each function app.

and

You can create any number of application settings required by your function code. There are also predefined application settings used by Functions. To learn more, see the App settings reference for Azure Functions.

These settings are stored encrypted. To learn more, see Application settings security.

Application settings can be managed from the Azure portal and by using the Azure CLI and Azure PowerShell. You can also manage application settings from Visual Studio Code and from Visual Studio.

and

Use application settings

The function app settings values can also be read in your code as environment variables.

Source: Manage your function app - Work with Application Settings.

For settings that are already available, see the App settings reference for Azure Functions.

Configuration settings that you want to share between (function) apps can be stored externally in a persisted store like App Configuration.

Azure App Configuration provides a service to centrally manage application settings and feature flags. Modern programs, especially programs running in a cloud, generally have many components that are distributed in nature. Spreading configuration settings across these components can lead to hard-to-troubleshoot errors during an application deployment. Use App Configuration to store all the settings for your application and secure their accesses in one place.