Reputation: 659
How to access Azure Key Vault with disabled public access from AppService?
I am trying to access key that is stored in Azure Key Vault from AppService.
- I have disabled Vault public access.
- I have enabled Managed Identity for my Azure App Service.
- I have granted that Managed Identity access to the Key Vault.
- I have checked 'Allow trusted Microsoft services to bypass this firewall' in the 'Firewalls and virtual networks' tab in Key Vault
Both AppService and Vault are located under one subscription, one region, etc.
I was hoping that these steps(especially #4) will be sufficient to get the key, but I get the exception
"ArgumentException: Keyword not supported: '@microsoft.keyvault(secreturi'."
Is there a way how to get the key from the Azure Key Vault(with disabled public access) from AppService without getting into private networks/endpoints, etc?
Thanks!
Upvotes: 1
Views: 2547
Answers (1)
Reputation: 7367
As you have mentioned,
Even I have disabled the Key Vault public access.
Enabled Managed Identity and also granted
Managed Identityaccess to the Key Vault.
Initially I got the below error, when I tried to fetch the Secrets from Key Vault locally.
AFAIK, '@microsoft.keyvault(secreturi'." ) works only in the deployed Azure App Service => Configuration.
Check the below workaround to retrieve the Secret from KeyVault by adding the KeyVault Reference in Configuration Section.
In App Service, select the User Create a Managed Identity
My appsettings.json file:
{
"Logging": {
"LogLevel": {
"Default": "Information",
"Microsoft.AspNetCore": "Warning"
}
},
"AllowedHosts": "*",
"KeyVaultName": "harshukv18july",
"SecretKV": "DummyValue"
}
Program.cs file:
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
var builder = WebApplication.CreateBuilder(args);
builder.Configuration.AddAzureKeyVault(
new Uri($"https://{builder.Configuration["KeyVaultName"]}.vault.azure.net/"),
new DefaultAzureCredential());
After deploying the App, add the new Application Setting with the same name as in appsettings.json (secret name - SecretKV).
Here my secret name is SecretKV, so added the same Application Setting in Azure App Service.
Use the below code to fetch the secret value from Azure KeyVault in .NET Core.
.csproj file:
<ItemGroup>
<PackageReference Include="Azure.Identity" Version="1.9.0" />
<PackageReference Include="Azure.Extensions.AspNetCore.Configuration.Secrets" Version="1.2.2" />
<PackageReference Include="Azure.Security.KeyVault.Secrets" Version="4.5.0" />
</ItemGroup>
In .cshtml, add the below line to dispaly the secret.
<h2>Secret with KeyVault Reference - @myconfig["SecretKV"]</h2>
The above configuration works only when deployed in App Service by enabling Public Access or by creating the Private endpoint.
Another option can be by selecting the below.
- You need to add the
Virtual NetworkandClient IPfor the specified users.
To get the Secret locally refer this SOThread, when public access to the KeyVault is enabled.
Upvotes: 1
Related Questions
- Key Vault reference in Azure App Service doesn't resolve
- How to give azure key vault portal access when public access is disabled
- Use a Linux VM system-assigned managed identity to access Azure Key Vault
- Azure APIM: How to obtain SSL certificate from Key Vault with User Assigned Managed Identity
- Azure function can not access key vault within VNET- Public network access is disabled
- Azure Key Vault not allow access via private endpoint connection
- Azure Key Vault or Managed Identity for Service-To-Azure-Service
- Fetch value from Azure Key Vault reference (Managed identity)
- Azure DevOps Build Pipeline can't get secrets from Key Vault when secured with vnet and firewall