How can access secrets like app-settings and connection-strings in web.config, from Azure key Vault using a Web-app hosted at on-premise IIS

Question

Steps I have followed:

• Created Azure Cloud vault.
• Added dependencies to project Using Connected service option in VS2019 along with needed packages and configuration.
• Added the ConfigBuilder into Web.config
  • Applied ConfigBuilders to appsettings <configBuilders><builders><add name="AzureKeyVault" ... omitted
  • <appSettings configBuilders="AzureKeyVault">
• Added permissions for my user into access policies to Azure Key Vault

Now it is working fine in my local VS2019 iis-express but When I deployed it on-premise iis server it is not working.

I feel it might be happening due to the access policy restrictions on Key Vault. Now I'm not sure how it will work with on-premise IIS web app.

Answer 1

I assume that you are using the DefaultCredentials Auth code. When you are accessing the Key Vault in VS2019, it uses your Azure credentials. When you deploy to IIS, you don't have an MSI nor any Azure credentials, so it needs an explicit Application Id/Client Secret.

Edit: AKV requires certificate auth to make this work: https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-5.0#use-application-id-and-x509-certificate-for-non-azure-hosted-apps