If you follow my blog, it should not be a surprise that I am using Managed Identity where possible, to avoid the need for passwords and secrets. In case these secrets are inevitable, we should store them in Azure Key Vault. Within App Service, you have the ability to make your Key Vault secrets available as application settings or environment variables, by leveraging Key Vault references. Under the hood, the App Service must authenticate itself against the Key Vault by using Managed Identity. By default, this is done through a System-Assigned identity. This blog explains how you can achieve this with User-Assigned identities.
Configuration
This section explains all the steps that are needed to set this up with Bicep.
Create the User-Assigned identity
- Define a User-Assigned Identity in a simple way
//User-Assigned Identity
resource identity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = {
name: identityName
location: location
}
Create the App Service
- Create the App Service. Two important aspects are highlighted:
- The identity object links the previously created identity to the App Service
- The keyVaultReferenceIdentity defines which identity must be used to fetch Key Vault references
//App Service
resource appService 'Microsoft.Web/sites@2021-01-01' = {
name: appServiceName
location: location
identity: {
type: 'UserAssigned'
userAssignedIdentities: {
'${identity.id}' : {}
}
}
properties: {
serverFarmId: appServicePlanId
siteConfig: {
alwaysOn: (sku == 'F1' || sku == 'D1') ? null : true
healthCheckPath: healthCheckPath
httpLoggingEnabled: true
vnetRouteAllEnabled: true
}
keyVaultReferenceIdentity: identity.id
httpsOnly: true
}
}
- The identity is now linked to the App Service
Grant the required access rights on the Key Vault
- The identity should get the Key Vault Secrets User role assigned on the Key Vault
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2018-09-01-preview' = {
scope: keyVault
name: guid(keyVault.id, identity.properties.principalId, 'Key Vault Secrets User')
properties: {
roleDefinitionId: '4633458b-17de-408a-b874-0445c86b69e6'
principalId: identity.properties.principalId
}
}
- The result can be seen in the Azure Portal:
- Thanks to these configurations, you can now successfully refer to Key Vault secrets from within your App Service using the Key Vault reference syntax.
Configuration
Key Vault references are extremely useful, because they don’t require you to update the code base. Next to that, my advise is to use User-Assigned identities instead of System-Assigned, because they can represent a logical application instead of an individual service that might get deleted one day. This approach combines the two into a secure solution.
I hope you enjoyed this one!
Toon
