Azure App Service Key Vault Integration

Securely manage secrets, keys, and certificates for your Azure App Service applications by integrating with Azure Key Vault. This integration allows you to store sensitive information outside your application code, enhancing security and simplifying management.

Why Integrate with Key Vault?

• Centralized Secret Management: Store all your secrets in one place.
• Enhanced Security: Protect sensitive data like connection strings, API keys, and passwords.
• Access Control: Define granular access policies for who can access your secrets.
• Key Rotation: Easily rotate keys and secrets without redeploying your application.
• Auditing: Track all access and usage of your secrets.

Steps for Integration

1. Create an Azure Key Vault

If you don't already have one, create an Azure Key Vault in the Azure portal. Ensure it's in the same region or a region accessible by your App Service.

Tip: When creating a Key Vault, consider enabling a soft-delete and purge protection to safeguard against accidental data loss.

2. Add Secrets to Key Vault

Navigate to your Key Vault in the Azure portal and add the secrets you need. For example, you might add a database connection string or an API key.

Each secret is stored as a key-value pair. You can also store certificates and cryptographic keys.

3. Configure App Service Identity

For your App Service to access Key Vault, it needs an identity. You can use either a System-assigned managed identity or a User-assigned managed identity.

System-Assigned Managed Identity:

Enable the system-assigned managed identity for your App Service in the "Identity" section of the Azure portal.

# Example using Azure CLI to enable system-assigned identity
az webapp identity assign --resource-group <your-resource-group> --name <your-app-service-name>
            

User-Assigned Managed Identity:

Create a user-assigned managed identity and then assign it to your App Service. This is useful if you need to share the same identity across multiple resources.

4. Grant Access to Key Vault

Once your App Service has an identity, you need to grant it permissions to access secrets in your Key Vault.

1. Go to your Key Vault in the Azure portal.
2. Under "Settings", select "Access policies".
3. Click "Create" or "Add Access Policy".
4. Under "Secret permissions", select the permissions your application needs (e.g., Get, List).
5. Under "Select principal", search for and select the managed identity of your App Service.
6. Click "Next" and then "Create".

Note: Azure Key Vault offers two access models: Vault access policy and Azure role-based access control (RBAC). For simpler scenarios, Vault access policy is often sufficient. For more complex control, consider RBAC.

5. Access Secrets from Your App Service

Your application code can now retrieve secrets from Key Vault using the managed identity.

Using Azure SDK (Recommended):

The Azure SDKs provide convenient ways to interact with Key Vault. Libraries are available for various languages (.NET, Java, Python, Node.js).

Example (C# with Azure.Security.KeyVault.Secrets):

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

var keyVaultUri = new Uri("https://your-keyvault-name.vault.azure.net/");
var secretClient = new SecretClient(keyVaultUri, new DefaultAzureCredential());

try
{
    KeyVaultSecret secret = secretClient.GetSecret("YourSecretName");
    string secretValue = secret.Value;
    // Use the secretValue in your application
    Console.WriteLine($"Successfully retrieved secret: {secret.Name}");
}
catch (Exception ex)
{
    Console.WriteLine($"Error retrieving secret: {ex.Message}");
}
            

Example (Python with azure-keyvault-secrets):

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

key_vault_name = "your-keyvault-name"
secret_name = "YourSecretName"
key_vault_uri = f"https://{key_vault_name}.vault.azure.net"

credential = DefaultAzureCredential()
secret_client = SecretClient(vault_url=key_vault_uri, credential=credential)

try:
    secret = secret_client.get_secret(secret_name)
    secret_value = secret.value
    # Use the secret_value in your application
    print(f"Successfully retrieved secret: {secret.name}")
except Exception as ex:
    print(f"Error retrieving secret: {ex}")
            

Reference Secrets in App Service Configuration:

You can also reference Key Vault secrets directly in your App Service's application settings. This is particularly useful for configuration values.

In the Azure portal, go to your App Service -> Configuration -> Application settings. Add a new setting:

• Name: e.g., MyDatabaseConnectionString
• Value: @Microsoft.KeyVault(SecretUri=https://your-keyvault-name.vault.azure.net/secrets/YourSecretName/your-secret-version)

Note: You can omit the /your-secret-version to always retrieve the latest version of the secret.

Securing Certificates

Key Vault integration is also crucial for managing SSL/TLS certificates for your custom domains.

1. Import your PFX certificate into Azure Key Vault.
2. Grant your App Service's managed identity "Get" and "List" permissions for secrets (certificates are stored as secrets in Key Vault).
3. In your App Service, go to "TLS/SSL settings" -> "Private Key Certificates (.pfx)".
4. Click "Import Key Vault Certificate".
5. Select your Key Vault, the certificate, and the managed identity.

Troubleshooting

• Permissions: Double-check that the managed identity has the correct permissions (Get, List) on the specific secret or certificate in Key Vault.
• Identity Assignment: Ensure the managed identity is correctly assigned to your App Service.
• Key Vault URI: Verify that the Key Vault URI in your code or configuration is correct.
• Network Restrictions: If your Key Vault has network restrictions (firewalls, private endpoints), ensure your App Service can reach it. You might need to allow Azure services through the Key Vault firewall or use VNet integration for your App Service.