Azure key vault. How to set which web app uses what key vault?

Question

I have several versions of the same web app running on the same subscription service.

I have 2 logical environments. Dev and UAT. I have WebAppDev and WebAppUAT.

I have two key vaults KVDev and KVUAT. How can I configure the correct web app to use the correct key vault?

What process assigns the web apps to key vaults?

Edit: I had assumed that the key vault would act like the secrets do when developing.

This Tutorial

seems to suggest that the key vault can be used as a configuration provider. However, the web app is not accessing the key vault values.

Answer 1

1. Get the Object ID from the identity blade of the web app.

2. Find your azure key vault and create a new access policy using the Object Id of web app.

   Alternatively use the following in the powershell cli.

Set-AzKeyVaultAccessPolicy –VaultName -ObjectId "" -PermissionsToKeys backup,create,delete,get,import,list,restore -PermissionsToSecrets get,list,backup,restore,recover

3. Follow this tutorial and copy the context from the Program.cs in the sample code.

Tutorial

Answer 2

Taking a different angle, the current questions and comments tackle the authentication to KeyVault.

However, it sounds like a more fundamental problem and that you need to vary your configuration per environment.

i.e. WebAppDev needs to be configured to use a KVDev URL and WebAppUAT needs to use KVUAT URL.

Assuming you are using App Service Plans; this documentation provides a mechanism to store environment specific configuration along with guidance on how to use it for your programming language of choice, you will need to refer to the Application Specific configuration section.

https://learn.microsoft.com/en-us/azure/app-service/configure-common

Configuring in the portal will get you so far, but over time you will likely wish to contain the configuration in a release management pipeline so you don't need to configure things by hand. Azure DevOps Pipeline is one such tool for this:

https://learn.microsoft.com/en-us/azure/devops/pipelines/get-started/?toc=%2Fazure%2Fdevops%2Fpipelines%2Ftoc.json&bc=%2Fazure%2Fdevops%2Fboards%2Fpipelines%2Fbreadcrumb%2Ftoc.json&view=azure-devops

To get you started there is a specific deployment task which can aid in setting configuration for App Service Plans: https://learn.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-rm-web-app-deployment?view=azure-devops

Over time I'd suggest rather than splitting configuration between a Release Pipeline and source control, instead having configuration which doesn't require deployment time modifications instead to stay source controlled in ARM templates, but that is an answer in it's own right so I won't confuse matters with too much detail.

Answer 3

If you want to access Azure key Vault by programming with SDK or REST API, then it would not be a problem. Because different key vaults have different DNS names. When you try to retrieve a secret or key in your code, you need to use its identify URL which contains its key vault DNS name. It will finally find the target key vault.

If you want to use key vault in web app with managed identity, you may refer to the tutorial: Use Azure Key Vault with an Azure web app in .NET

In that tutorial, you will enable the identity of a web app. And then you can assign access policy to that identity. In this way, the web app will be able to access the key vault with managed identity.