CODEWITHSUNDEEP
azuressl-certificateidentityserver4azure-keyvaultazure-webapps
J King
J King

Reputation: 4434

"Key vault reference error" in azure web app configuration setting

I have a private certificate that was generated by azure for a web app for linux containers. I want to pass this value to my .net core app via the web app configuration settings in the the azure portal. This is part of a pipeline CI-CD process and the ability to specify Identity Server key values in app configuration helps to keep those values out of the source code.

PROBLEM

I keep getting the following error by the setting

❌Key vault Reference

also shown here: enter image description here

I am trying to use the secret value in the format suggested by the microsoft docs here I have tried the following formats:

@Microsoft.KeyVault(https://myvault.vault.azure.net/secrets/myCertName/versionGUID)

@Microsoft.KeyVault(VaultName=myvault;SecretName=myCertName;SecretVersion=versionGUID)

ALSO, I have added the web app to the access policies of the azure key vault

EDIT 1:

There was a format error and I had the wrong secret name so the following format worked:

@Microsoft.KeyVault(https://myvault.vault.azure.net/secrets/myCertName/versionGUID)

However I ran into a new error:

Key Vault reference was not able to be resolved because site Managed Identity not enabled MSINotEnabled

SO I went to the identity tab of the web app and turned on managed identity for the app.

I am now stuck with the following error:

Key Vault reference was not able to be resolved because site was denied access to Key Vault reference's vault.

I found multiple sites that said if you just deleted the setting, saved, and then add the setting back it should resolve. This DID NOT work for me.

I also tried granting "Full access" to the web app in the azure key vault access policies.

Upvotes: 20

Views: 47547

Answers (6)

r3verse
r3verse

Reputation: 1080

In my case, I was referencing a secret without version, like this:

@Microsoft.KeyVault(https://myvault.vault.azure.net/secrets/myCertName/)

But it has to be without the trailing slash, so like this:

@Microsoft.KeyVault(https://myvault.vault.azure.net/secrets/myCertName)

At the time of writing, it is also wrongly documented in the Azure docs. I proposed https://github.com/MicrosoftDocs/azure-docs/pull/124163 in order to solve it.

Upvotes: 0

Loul G.
Loul G.

Reputation: 1095

As of azurerm terraform provider version 3.100.0, don't forget to set the attribute key_vault_reference_identity_id:

resource "azurerm_windows_web_app" "main" {
  
  key_vault_reference_identity_id = azurerm_user_assigned_identity.main.id

  app_settings = {
    "MySecretSetting" = "@Microsoft.KeyVault(VaultName=${local.vault_name};SecretName=${local.secret_name})"
  }

  identity {
    type         = "UserAssigned"
    identity_ids = [azurerm_user_assigned_identity.main.id]
  }
}

Upvotes: 2

Jp Naidu
Jp Naidu

Reputation: 93

If it is a User-Managed Identity, we need to do a patch to make this working

userAssignedIdentityResourceId=$(az identity show -g MyResourceGroupName -n MyUserAssignedIdentityName --query id -o tsv)
appResourceId=$(az webapp show -g MyResourceGroupName -n MyAppName --query id -o tsv)
az rest --method PATCH --uri "${appResourceId}?api-version=2021-01-01" --body "{'properties':{'keyVaultReferenceIdentity':'${userAssignedIdentityResourceId}'}}"

Link for the doc

Upvotes: 3

NIrav Modi
NIrav Modi

Reputation: 6962

I am facing the same issue while creating resources through terraform.

I have added a key vault access policy for azure function app as well and the issue is gone.

The below part is only for those who are doing terraform.

My config looked like this,

resource "azurerm_key_vault_access_policy" "resource_group_manager" { 
    key_vault_id = module.key_vault_info.key_vault_id 
    tenant_id = data.azurerm_client_config.current.tenant_id 
    object_id = data.azuread_group.manager.id 
    key_permissions = [ "Get", "List", "Create", "Update", "Delete", ] 
    secret_permissions = [ "Get", "List", "Set", "Delete", ] 
}

I have added a key vault access policy only for the azure resource group but not for azure function.

To resolve that,

I have added a key vault access policy for azure function app as well

like below,

resource "azurerm_key_vault_access_policy" "resource_group_manager" { 
    key_vault_id = module.key_vault_info.key_vault_id 
    tenant_id = data.azurerm_client_config.current.tenant_id 
    object_id = data.azuread_group.manager.id 
    key_permissions = [ "Get", "List", "Create", "Update", "Delete", ] 
    secret_permissions = [ "Get", "List", "Set", "Delete", ] 
}

resource "azurerm_key_vault_access_policy" "this" {
    key_vault_id = module.key_vault_info.key_vault_id 
    tenant_id = data.azurerm_client_config.current.tenant_id 
    object_id = azurerm_function_app.this.identity.0.principal_id 
    key_permissions = [ "Get", "List", "Create", "Update", "Delete", ] 
    secret_permissions = [ "Get", "List", "Set", "Delete", ] 
}

Upvotes: 0

Dhyan
Dhyan

Reputation: 96

Your app should be able to reach the Key Vault to resolve a reference successfully. If everything else, e.g., access policies and syntax, appears to be in order and yet your references don't resolve, try checking if your Key Vault has any network restriction.

If you see the warning related to the 'network access control' on your Vault's Access policies settings page, you need to allow your app's IP through the Key Vault firewall.

Azure Key Vault: Network restrictions warning

Add your app’s IP (available under Custom domains) to your Key Vault’s firewall (under Networking).

Azure Key Vault: Allow IP through the Firewall

Reference: https://medium.com/geekculture/troubleshooting-azure-key-vault-references-in-azure-function-apps-b228c1216f63

Upvotes: 8

Joy Wang
Joy Wang

Reputation: 42063

Firstly, the reference format @Microsoft.KeyVault(https://myvault.vault.azure.net/secrets/myCertName/versionGUID) is wrong, it should be @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/myCertName/versionGUID).

Secondly, I don't think you granted the permission for the MSI of your web app correctly.

From the description in your original post:

ALSO, I have added the web app to the access policies of the azure key vault

Then in your EDIT 1:

SO I went to the identity tab of the web app and turned on managed identity for the app.

Obviously the order is wrong, if you didn't enable the MSI of the app before, how you add it to the access policy? I suppose you may added the wrong one.

So in your case, make sure you have added the MSI of the web app to the access policy correctly.

1.Navigate to the web app -> Identity -> copy the Object ID(also make sure you are using system-assigned MSI, the user-assigned MSI is not supported in keyvault reference feature)

enter image description here

2.Then in the Access policies of the keyvault -> Add Access Policy -> seacrh for the Object ID in step 1 and add it with the Get Secret permission like below -> select and save.

enter image description here

3.Navigate to the app and check it, it works fine.

enter image description here

Upvotes: 34

Related Questions