Azure web app and managed identity to access key vault

Azure web app and managed identity to access key vault

In last article, we have created a .NET Core web application and accessed the secrets stored in Azure key vault. We have seen how how to allow Visual studio to access the key vault.

In this article, let’s publish the web application as Azure app service. Then the app service will need managed identity to authenticate itself with the Azure key vault. So, we will create the system-assigned managed identity for Azure app service and will add access policy to allow it access on key vault.

Publish Web App

Create a .NET Core web application (MVC) using Visual studio. Add configurations so that it can read from the Azure key vault. Refer this article to know the detailed steps.

Make sure that the storage account details are not available in appsettings.json.

Access the Web App

Create an Azure App Service instance and then publish the web app from the visual studio. Refer this article to know the detailed steps.

So, what you have is a .NET Core MVC Web application which is published as Azure app service.

If you try to access the Azure app service you published just now using URL <a rel="noreferrer noopener" href="https://<https://<<app-service>&gt;.azurewebsites.net , then you will get an error below:

HTTP Error 500.30 - ANCM In-Process start failure
HTTP Error 500.30 – ANCM In-Process start failure

This is happening because we have registered the key vault provider while creating IHostBuilder instance in Program.cs.

This code tries to reach out to key vault and tries to get all the configurations from there. The key vault is not able to authenticate identity of the app service and the application crashes in startup resulting in above output.

Create Managed Identity

In order to authenticate the Azure web app with key vault, let’s use system-assigned managed identity.

Login to Azure portal and then go to the app service which was created for this demo purpose. Then select the Identity from left navigation.

Under system-assigned tab, toggle the Status field on as shown below. This should show a GUID and button below. Then click the Save button to save the newly generated identity.

So, we just have asked system to generate a managed identity for our app service.

Create Managed Identity for Azure app service using Azure portal
Create Managed Identity for Azure app service using Azure portal

Using Azure CLI

You can create system-assigned managed identity for the app service using below command:

## Create system-assigned managed identity
az webapp identity assign –name azureappservicename –resource-group myResourceGroup
## Output of above command is as below.
## {
## "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
## "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
## "type": "SystemAssigned"
## }
##
## principalId is required for setting access policy through CLI
view raw commands.sh hosted with ❤ by GitHub

Key Vault Access Policy

The managed identity has been generated but it has not been granted access on key vault yet. So, in Azure portal, go to the key vault which is supposed to be accessed by the app service.

Under Settings, select access policies option from left navigation and then click on Add access policy. On the new panel, make sure to select two permissions – Get and List – for key permissions, secret permissions and certificate permissions inputs.

Assign permissions to the key vault access policy
Assign permissions to the key vault access policy

Then click on Select principal which should open a new panel on right side. On this new panel, search for the name of the app service which you have created for this demo. Select app service and then click on Select button.

Select Principal for Key vault access policy
Select Principal for Key vault access policy

Then click on Add button to add the access policy. This will close add policy panel. Then click on Save button on Access policies panel.

Using Azure CLI

Below command can be used to set the access policy on the key vault. Please note that PrincipalId input is the output of the command which generated managed identity on Azure app service.

## key vault name should be updated
## PrincipalId is from output of generate system-assigned identity for web app
az keyvault set-policy –name myKeyVault –object-id <PrincipalId> –secret-permissions get list
view raw commands.sh hosted with ❤ by GitHub

Now, all the configurations have been setup to allow app service to access key vault.

Run and Verify

If the app service is accessed again, it should show the upload file page as shown below. If file is uploaded, application will be able to read the storage account name, blob container and key from key vault and so the file will be uploaded to blob container.

.NET Core application able to access key vault now
.NET Core application able to access key vault now

I hope this article have provided you some information on how to use system-assigned managed identities. Let me know your thoughts.

Leave a Reply