I'm currently tightening up some Azure functions which currently hold the connection string for blob storages in plain text in the Azure function. In order to remove the plain text element, I'm trying to call the values as secrets from KeyVault.
My first question is from the [Python SDK documentation](https://docs.microsoft.com/en-us/azure/developer/python/azure-sdk-authenticate):
# Acquire the resource URL vault_url = os.environ["KEY_VAULT_URL"] # Acquire a credential object credential = DefaultAzureCredential()
So, they use
os.environ to get the key vault URL. Does this only work locally or can I still use
os.environ on an Azure function? If I can use
os.environ, where do I store this value?
On top of that, I'm also using
DefaultAzureCredential() - is this correct or should I be getting my credential from each function app? If I should be getting each credential, where do I get these from? I've looked in the function's
Identity page to try and find an access token although couldn't find one.
Rant/problem explanation: What I'm having trouble getting is that at the moment no matter where I store the credential information, it's always in plain text somewhere. What I have currently works although the keyvault URI is in plain text and I don't know if the
DefaultAzureCredential() should be passed through as opposed to a proper access token.