Getting Azure key vault certificates works only from local machine

Question

I am using Identity server to handle logins in my app hosted in MS Azure. I am using Azure key vault to store my certificates. When I am trying to obtain certificates from Azure Key Vault on local machine, everything works fine, but after deploying to the server, I am getting the error described bellow.

I have followed this tutorial: https://damienbod.com/2020/04/09/using-certificates-from-azure-key-vault-in-asp-net-core/

I have created Azure AD and registered my app into it. Also I have created Azure Key Vault, added my app into Key Vault access principles and inside my app service I have allowed identity assigned by the system.

When I deployed this app on the server I am getting this error

In the key vault I allowed all permissions for this app

Is there some more setting, which needs to be done before deploying?

Thanks.

Answer 1

After you enable the system-assigned identity for your app service, you also need to add it to the Access policies of the keyvault with the correct certificate permission(just navigate to the Access policies, search for the web app name and add it).

The sample you provided use the AzureServiceTokenProvider, when you deploy your code to app service, it should use the system-assigned identity to access the keyvault in your case.

To let this work, you also need to specify the AzureServicesAuthConnectionString environment variable in your app service with RunAs=App, see this link.