Integrate Azure Key Vault for SQL connection string management in web app

Author: bryansan-local

samples/web-app-sql-database/python/bicep/main.bicep

@@ -473,11 +473,10 @@ resource configAppSettings 'Microsoft.Web/sites/config@2024-11-01' = {
   properties: {
     SCM_DO_BUILD_DURING_DEPLOYMENT: 'true'
     ENABLE_ORYX_BUILD: 'true'
-    SQL_SERVER: sqlServer.properties.fullyQualifiedDomainName
-    SQL_DATABASE: sqlDatabaseName
-    SQL_USERNAME: sqlDatabaseUsername
-    SQL_PASSWORD: sqlDatabasePassword
-    SQL_CONNECTION_STRING: '@Microsoft.KeyVault(SecretUri=${sqlConnectionStringSecret.properties.secretUri})'
+    //Pass Key Vault name and secret name as app settings.
+    //The Python SDK will retrieve the actual connection string value from Key Vault
+    KEY_VAULT_NAME: keyVaultName
+    SECRET_NAME: sqlConnectionStringSecretName
     LOGIN_NAME: username
   }
 }

samples/web-app-sql-database/python/scripts/deploy.sh

@@ -378,24 +378,18 @@ else
 	exit 1
 fi
 
-# Get Secret URI
-SECRET_URI=$($AZ keyvault secret show \
-	--vault-name "$KEY_VAULT_NAME" \
-	--name "$SECRET_NAME" \
-	--query "id" \
-	--output tsv)
-
-echo "Secret URI: $SECRET_URI"
-
 # Set web app settings
+# Pass Key Vault name and secret name as app settings.
+# The Python SDK will retrieve the actual connection string value from Key Vault.
 echo "Setting web app settings for [$WEB_APP_NAME]..."
 $AZ webapp config appsettings set \
 	--name "$WEB_APP_NAME" \
 	--resource-group "$RESOURCE_GROUP_NAME" \
 	--settings \
 	SCM_DO_BUILD_DURING_DEPLOYMENT='true' \
 	ENABLE_ORYX_BUILD='true' \
-	SQL_CONNECTION_STRING="@Microsoft.KeyVault(SecretUri=${SECRET_URI})" \
+	KEY_VAULT_NAME="$KEY_VAULT_NAME" \
+	SECRET_NAME="$SECRET_NAME" \
 	LOGIN_NAME="$LOGIN_NAME" \
 	--only-show-errors 1>/dev/null
 

samples/web-app-sql-database/python/src/database.py

@@ -3,14 +3,15 @@
 Supports both traditional ODBC connections and passwordless Azure AD authentication
 """
 
-from multiprocessing import connection
+import logging
 import os
 import struct
-import pyodbc
-import logging
-from typing import Optional, List, Dict, Any
 from contextlib import contextmanager
+from typing import Any, Dict, List, Optional
+
+import pyodbc
 from azure.identity import DefaultAzureCredential
+from azure.keyvault.secrets import SecretClient
 
 # Configure logging
 logger = logging.getLogger(__name__)
@@ -61,44 +62,36 @@ def __init__(
     @classmethod
     def from_env(cls) -> 'SqlHelper':
         """
-        Create a SqlHelper instance from environment variables.
-
-        You can either pass the following set of variables, if you plan to use DefaultAzureCredential:
-            - AZURE_CLIENT_ID
-            - AZURE_CLIENT_SECRET
-            - AZURE_TENANT_ID
-
-        Instead, if you plan to use the connection string directly, you can set:
-            - SQL_SERVER
-            - SQL_DATABASE
-            - SQL_USERNAME
-            - SQL_PASSWORD
+        Create a SqlHelper instance using KEY_VAULT_NAME and SECRET_NAME environment variables.
+        The secret must contain a SQL connection string. Uses DefaultAzureCredential for authentication.
         """
-        connection_string = os.environ.get("SQL_CONNECTION_STRING")
-        if connection_string:
-            return cls.from_connection_string(connection_string)
+        key_vault_name = os.environ.get("KEY_VAULT_NAME")
+        secret_name = os.environ.get("SECRET_NAME")
 
-        client_id = os.environ.get("AZURE_CLIENT_ID")
-        client_secret = os.environ.get("AZURE_CLIENT_SECRET")
-        tenant_id = os.environ.get("AZURE_TENANT_ID")
-        server = os.environ.get("SQL_SERVER")
-        database = os.environ.get("SQL_DATABASE")
-        username = os.environ.get("SQL_USERNAME")
-        password = os.environ.get("SQL_PASSWORD")
-
-        if not any([client_id, client_secret, tenant_id, server, database, username, password]):
-            raise ValueError("You properly need to define environment variables.")
-
-        logger.info("Environment variables loaded successfully")
-
-        return cls(
-            server=server,
-            database=database,
-            username=username,
-            password=password,
-            use_azure_credential=all([client_id, client_secret, tenant_id])
-        )
-
+        if not key_vault_name or not secret_name:
+            raise ValueError("KEY_VAULT_NAME and SECRET_NAME environment variables are required")
+        
+        return cls.from_key_vault(key_vault_name, secret_name)
+    
+    @classmethod
+    def from_key_vault(cls, vault_name: str, secret_name: str) -> 'SqlHelper':
+        """
+        Create a SqlHelper instance by reading the connection string from Azure Key Vault.
+        
+        """
+        vault_url = f"https://{vault_name}.vault.azure.net"
+        credential = DefaultAzureCredential(exclude_interactive_browser_credential=False)
+        client = SecretClient(vault_url=vault_url, credential=credential)
+        
+        logger.info(f"Retrieving secret [{secret_name}] from Key Vault [{vault_name}]...")
+        secret = client.get_secret(secret_name)
+        
+        if not secret.value:
+            raise ValueError(f"Secret [{secret_name}] in Key Vault [{vault_name}] has no value")
+        
+        logger.info(f"Secret [{secret_name}] retrieved successfully from Key Vault [{vault_name}]")
+        return cls.from_connection_string(secret.value)
+    
     @classmethod
     def from_connection_string(cls, connection_string: str) -> 'SqlHelper':
         """
@@ -127,7 +120,7 @@ def from_connection_string(cls, connection_string: str) -> 'SqlHelper':
             )
 
         logger.info("Connection string parsed successfully")
-        logger.debug(f"Server: {server}, Database: {database}, Username: {username}")
+        logger.info(f"Server: {server}, Database: {database}, Username: {username}")
 
         return cls(
             server=server,

samples/web-app-sql-database/python/src/requirements.txt

@@ -3,3 +3,4 @@ azure-identity==1.25.1
 pyodbc==5.3.0
 gunicorn==20.1.0
 python-dotenv==1.1.1
+azure-keyvault-secrets