Parameterization is important when building a dataflow that is able to be run outside of the NiFi instance where it was built. NiFi allows users to build a data flow making use of Parameter Contexts. Using Parameter Contexts, you can define Processor and Controller Service properties at runtime instead of at build time. Some parameters are sensitive, such as a password, while others are not, such as the name of a Kafka topic. The Cloud function allows you to specify these parameters through Application Settings, either directly or mapped from Secrets.

Application Settings

Any parameter can be specified using the Application Settings of the Azure Function App. When configuring the Function App, in the Configuration blade, add an application setting whose name matches the name of a parameter in your Parameter Context.

Key Vault Secret

A more secure mechanism for storing sensitive data flow parameters and other sensitive Application Settings is to use a Key Vault Secret.

  1. Navigate to the Key Vaults Azure service and click the Create at the top-left.

  2. Select your Function App's resource group, and name the Key Vault. Select the same region as the Function App.

  3. Click Next : Access policy, and Add Access Policy.

  4. Under Secret permissions, select List and Get.

  5. Click the None selected link next to Select principal.

  6. Assuming you have created a Managed Identity for your Function App, enter the name of your Function App and select it on the right panel.

  7. Click Select > Add > Review + create > Create.

  8. Once the deployment is complete, click Go to resource.

    Here you can create any secrets to be referenced.

  9. Click the Secrets blade on the left, and the Generate/Import button at the top.

  10. Enter the name of the desired Application Setting.

    This does not have to match the actual name of the Application Setting or Parameter Context, and must follow the convention of only alphanumeric characters and dashes.

  11. Enter the value of the Application Setting, and click Create.

  12. Back in your Function App, create an Application Setting with the appropriate name (the Parameter name, or one of the supported Application Settings from the “Configuration of my Function App” section).

  13. Add the following value: @Microsoft.KeyVault(VaultName={vaultName};SecretName={secretName})

  14. Replace {vaultName} with the actual Key Vault name, and replace {secretName} with the name of the newly created secret.

  15. Click Save.

Azure will update your configuration and then attempt to link this Application Setting to the Key Vault Secret. To see this link, you can click the Refresh button. In the Source column, you should now see Key Vault Reference and a green check mark if the Function App successfully resolved the Secret. If there is a red X, there is likely an issue with either the permissions of the Function App's managed identity or maybe the vault or secret could not be found.