CODEWITHSUNDEEP
azureazure-web-app-serviceazure-keyvaultazure-app-configuration
Mike
Mike

Reputation: 1170

Azure App Config, Key Vault & Managed Service Identity (.NET Core 3.1)

I have a simple app service set up to use/test Azure App Configuration

I've followed the sample application, so the CreateHostBuilder looks like:

public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
{
    var settings = config.Build();
    config.AddAzureAppConfiguration(settings["ConnectionStrings:AppConfig"]);
})
.UseStartup<Startup>());

When deploying/running the app, the behavior is successful when there are no Azure App Config entries which point to KeyVault.

When I add an entry in Azure App Config which points to KeyVault, the app will not start (HTTP Error 500.30 - ANCM In-Process Start Failure), the logs are showing this exception:

Exception Info: Microsoft.Extensions.Configuration.AzureAppConfiguration.KeyVaultReferenceException: No key vault credential configured and no matching secret client could be found.. ErrorCode:, Key:TestConnectionString, Label:, Etag:6ezsqW96CsAet7Ym5H4DedsLTkI, SecretIdentifier:https://testkeyvault.vault.azure.net/secrets/TestSecret ---> System.UnauthorizedAccessException: No key vault credential configured and no matching secret client could be found.

It seems obvious that something isn't secured correctly, but I've checked many times and the Key Vault has an access policy granting Get/List of Secrets to the Azure App Config identity.

I've also tried the ConfigureKeyVault option in the host builder, i.e. 

public static IHostBuilder CreateHostBuilder(string[] args) =>
    Host.CreateDefaultBuilder(args)
    .ConfigureWebHostDefaults(webBuilder =>
    webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
    {
        var settings = config.Build();

        config.AddAzureAppConfiguration(options =>
        {
            options.Connect(settings["ConnectionStrings:AppConfig"])
                    .ConfigureKeyVault(kv =>
                    {
                        kv.SetCredential(new DefaultAzureCredential());
                    });
        });
    })
    .UseStartup<Startup>());

Is the Access Policy on the Key Vault granting Get/List of Secrets to the Azure App Config identity all that needs to be done, or have I missed something? (I've also tried granting an Access Policy to the app service, no luck).

Upvotes: 9

Views: 8215

Answers (2)

Karthikeyan VK
Karthikeyan VK

Reputation: 6016

For .Net 6.0, I did two NuGet package installation

Microsoft.Extensions.Configuration.AzureAppConfiguration
Azure.Identity

Upvotes: 1

Abhilash Arora
Abhilash Arora

Reputation: 277

For key vault references, the application needs to set up authentication to both App Configuration and Key Vault. The two services don't communicate directly, so App Configuration does not need to any access permissions to the Key Vault. The code snippet with the usage of ConfigureKeyVault is correct. It specifies DefaultAzureCredential to be used to authenticate to Key Vault in order to resolve key vault references.

In order to allow your application hosted in Azure App Service to be able to access secrets from Key Vault, you can enable managed identity on the App Service and grant it GET and LIST permissions in Key Vault.

For the development environment, these instructions can be used to create a service principal, grant permissions and set up appropriate environment variables to be used by the DefaultAzureCredential.

Upvotes: 13

Related Questions