Working with App Settings

Introduction

In the previous step we deployed our Function App to Azure. We'll now take a look at the App settings.

Application settings in a function app contain configuration options that affect all functions for that function app. By default, you store connection strings and secrets used by your function app and bindings as application settings and access them as environment variables. However, secrets not needed by Azure to be stored as application settings should rather be stored in Azure KeyVault instead of the application settings.

Commands in this chapter are to be executed in the Function App root directory unless stated otherwise.

Fetch the settings from Azure

We learned in chapter 2.1 Local Function App that our local Function App settings are stored in a file called local.settings.json. When we created our local Function App, the file was added with the minimal set of entries the runtime needs to work properly.

Take a look at your local settings first:

func settings list

And compare it to the settings in Azure:

az functionapp config appsettings list --resource-group rg-functions-demo --name <APP_NAME>

As you can see, there are already more settings in Azure, even if we just created the app and deployed it once. For example, the settings for Application Insights were automatically set when we created the resources via Bicep.

To fetch the settings from Azure we can execute:

func azure functionapp fetch-app-settings <APP_NAME>

After executing the command, the local.settings.json is updated and matches the settings in Azure. If the file is, for whatever reason, not found on your machine, you can still execute the command and the file will be created for you.

Encrypting and decrypting

App settings and connection strings are stored encrypted in Azure. They're decrypted only before being injected into your app's process memory when the app starts.

The function runtime offers the possibility to encrypt and decrypt your local settings as well, and as these settings contain sensitive information (connection strings, secrets and so on) the simple advice is to encrypt them and only decrypt them if needed.

However, secrets not needed by Azure to be stored as application settings should rather be stored in Azure KeyVault instead of the application settings.

Encrypt the settings with:

func settings encrypt

Decrypt the settings with:

func settings decrypt

Use app settings in functions

Application settings can be accessed in functions like every other environment variable and are accessible in every function in the same Function App. Let's add a new function that returns all environment variables when it's called.

Add the function (use authlevel function):

func new --name settings --authlevel function --template "HTTP Trigger"

Update the code to return all environment variables (snippet):

const httpTrigger: AzureFunction = async function (
  context: Context,
  req: HttpRequest
): Promise<void> {
  context.res = {
    // this will return all environment variables
    body: process.env,
  };
};

Now start the Function App and call the settings endpoint. Interestingly you'll see not just the settings from the local.settings.json but also quite a lot that the runtime added by itself. Don't use environment variables not configured in local.settings.json in your function, however, because they aren't guaranteed.

Note: As application settings contain sensitive information you usually wouldn't return them like we did here and just use what's necessary where it's necessary in your functions.

🛠 TASK (optional): Deploy the Function App

Deploy the function app like you did in the previous chapter and call the new settings endpoint. You'll see that you won't get any output, but instead a 401 Unauthorized response. That's because we configured the authorization level to be function.

We'll learn how to call that function in a later chapter. For now we can just leave it like that as we made sure nobody besides us can call it.

Note: If you missed to create the function with authorization level set to function, just update the authLevel to function in the function.json and redeploy the Function App.

Quiz

Can the functions still be started if you delete the local.settings.json?

The Function App can still be executed, even though you'll get a warning:

Can't determine project language from files. Please use one of [--csharp, --javascript, --typescript, --java, --python, --powershell, --custom]

Using the specific language parameter the warning disappears:

npx tsc && func start --typescript

But only the basic environment variables will be available like that. Refetch them from Azure before you continue.


What alternate secrets store should you consider for sensitive information instead of application settings?

Azure KeyVault is a secure alternative if your secrets are not required to be stored as application settings by Azure.