Skip to content
/ RH-TokenRefresh-Function Public

This sample contains an Azure Function (actually two: one is called via Timer every hour, the other one is for manual trigger via HTTP) that uses an AWS user to create Session Tokens.

1 star 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

ReneHezser/RH-TokenRefresh-Function

BranchesTags

Repository files navigation

Renew AWS SessionToken and store values in Azure KeyVault

This sample contains an Azure Function (actually two: one is called via Timer every hour, the other one is for manual trigger via HTTP) that uses an AWS user to create Session Tokens.

Architecture

Please use this code as sample only and give me feedback in order to improve the sample

AWS User

For an existing user create an Access Key that will be used to connect to the STS in order to get a temporary session token. This token will have the same permissions as the user.

AWS User Summary

The access key ID is stored as AWS-Access-Key-ID in KeyVault and the corresponding key as AWS-Secret-Access-Key.

Azure KeyVault

KeyVault stores 5 secrets:

  • AWS-Access-Key-ID
  • AWS-Secret-Access-Key
  • AccessKeyId
  • SecretAccessKey
  • SessionToken

The first two are used to connect to the AWS STS service to get SessionTokens, while the other tree take the current values that can be used by other services to connect to Azure. They will be regenerated every hour (configurable in the timer Function).

Azure Function

The Function App needs to be able to get and update secrets from KeyVault. For that, configure it to use a Managed Identity and grant access to it on KeyVault. A general tutorial can be found on this great post.

App Settings

After creating the system assigned identity and granting permissions in KeyVault the App Service can fetch the secrets by adding the two settings UsernameFromKeyVault and PasswordFromKeyVault.

App Settings in Azure Function

local debugging of the Azure Function

For local debugging you do not use the AWS secrets stored in KeyVault, but instead use credentials stored in plain text in local.settings.json. Set PlainUsername and PlainPassword.

{
  "IsEncrypted": false,
  "Values": {
    "AzureWebJobsStorage": "DefaultEndpointsProtocol=https;AccountName=...;AccountKey=...;EndpointSuffix=core.windows.net",
    "FUNCTIONS_WORKER_RUNTIME": "dotnet",
    "UsernameFromKeyVault": "https://....vault.azure.net/secrets/AWS-Access-Key-ID/...",
    "PasswordFromKeyVault": "https://g....vault.azure.net/secrets/AWS-Secret-Access-Key/...",
    "KeyVaultUrl": "https://....vault.azure.net",

    "AccessKeyIdFromKeyVault": "https://....vault.azure.net/secrets/AccessKeyId/...",
    "SecretAccessKeyFromKeyVault": "https://....vault.azure.net/secrets/SecretAccessKey/...",
    "SessionTokenFromKeyVault": "https://....vault.azure.net/secrets/SessionToken/...",

    "PlainUsername": "AKIA...",
    "PlainPassword": "..."
  }
}

Links

About

This sample contains an Azure Function (actually two: one is called via Timer every hour, the other one is for manual trigger via HTTP) that uses an AWS user to create Session Tokens.

Resources

Readme
Activity

Stars

1 star

Watchers

2 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages