Introduction

Sometimes your app needs secret information like passwords or keys. Storing these secrets safely is important. Azure Key Vault helps keep secrets safe. App Service can use Key Vault references to get secrets without storing them in the app settings directly.

When your web app needs to use a database password without hardcoding it in the app code.

When you want to update a secret like an API key without redeploying your app.

When you want to keep secrets secure and separate from your app configuration.

When multiple apps need to share the same secret securely.

When you want to control access to secrets using Azure permissions.

Config File - azuredeploy.json

azuredeploy.json

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "appServiceName": {
      "type": "string",
      "defaultValue": "my-app-service"
    },
    "keyVaultName": {
      "type": "string",
      "defaultValue": "my-keyvault"
    },
    "secretName": {
      "type": "string",
      "defaultValue": "DbPassword"
    }
  },
  "resources": [
    {
      "type": "Microsoft.Web/sites",
      "apiVersion": "2022-03-01",
      "name": "[parameters('appServiceName')]",
      "location": "eastus",
      "properties": {
        "siteConfig": {
          "appSettings": [
            {
              "name": "DatabasePassword",
              "value": "@Microsoft.KeyVault(SecretUri=https://[parameters('keyVaultName')].vault.azure.net/secrets/[parameters('secretName')]/)"
            }
          ]
        }
      }
    }
  ]
}

This ARM template creates an Azure App Service with an app setting named DatabasePassword. The value uses a Key Vault reference to fetch the secret named DbPassword from the specified Key Vault. This way, the app gets the secret securely at runtime without storing it directly in the app settings.

Commands

Create a new Azure Key Vault named 'my-keyvault' in the resource group 'my-resource-group' in the East US region.

Terminal

az keyvault create --name my-keyvault --resource-group my-resource-group --location eastus

Expected OutputExpected

{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.KeyVault/vaults/my-keyvault", "location": "eastus", "name": "my-keyvault", "properties": { "sku": { "family": "A", "name": "standard" }, "tenantId": "00000000-0000-0000-0000-000000000000" }, "resourceGroup": "my-resource-group", "type": "Microsoft.KeyVault/vaults" }

→

--name - Sets the name of the Key Vault

→

--resource-group - Specifies the resource group to create the Key Vault in

→

--location - Sets the Azure region for the Key Vault

Add a secret named 'DbPassword' with the value 'MyS3cretP@ssw0rd' to the Key Vault 'my-keyvault'.

Terminal

az keyvault secret set --vault-name my-keyvault --name DbPassword --value "MyS3cretP@ssw0rd"

Expected OutputExpected

{ "id": "https://my-keyvault.vault.azure.net/secrets/DbPassword/00000000000000000000000000000000", "attributes": { "enabled": true, "created": 1680000000, "updated": 1680000000 }, "contentType": null, "kid": null, "managed": null }

→

--vault-name - Specifies which Key Vault to use

→

--name - Names the secret

→

--value - Sets the secret's value

Create an Azure App Service named 'my-app-service' in the resource group 'my-resource-group' using the specified app service plan and runtime.

Terminal

az webapp create --resource-group my-resource-group --plan my-app-service-plan --name my-app-service --runtime "DOTNET|6.0" --location eastus

Expected OutputExpected

{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Web/sites/my-app-service", "location": "eastus", "name": "my-app-service", "properties": { "state": "Running" }, "resourceGroup": "my-resource-group", "type": "Microsoft.Web/sites" }

→

--resource-group - Specifies the resource group for the app

→

--plan - Sets the app service plan to use

→

--runtime - Defines the runtime stack for the app

Configure the app setting 'DatabasePassword' in the App Service to use the Key Vault reference for the secret 'DbPassword'.

Terminal

az webapp config appsettings set --resource-group my-resource-group --name my-app-service --settings DatabasePassword="@Microsoft.KeyVault(SecretUri=https://my-keyvault.vault.azure.net/secrets/DbPassword/)"

Expected OutputExpected

{ "id": "/subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-resource-group/providers/Microsoft.Web/sites/my-app-service/config/appsettings", "name": "appsettings", "properties": { "DatabasePassword": "@Microsoft.KeyVault(SecretUri=https://my-keyvault.vault.azure.net/secrets/DbPassword/)" }, "type": "Microsoft.Web/sites/config" }

→

--settings - Sets or updates app settings key-value pairs

List all app settings for the App Service to verify the Key Vault reference is set correctly.

Terminal

az webapp config appsettings list --resource-group my-resource-group --name my-app-service

Expected OutputExpected

[ { "name": "DatabasePassword", "value": "@Microsoft.KeyVault(SecretUri=https://my-keyvault.vault.azure.net/secrets/DbPassword/)" } ]

Key Concept

If you remember nothing else from this pattern, remember: App Service can securely fetch secrets at runtime using Key Vault references without storing secrets directly in app settings.

Common Mistakes

Setting the secret value directly in app settings instead of using a Key Vault reference.

This exposes secrets in plain text and risks leaking sensitive information.

Use the special syntax '@Microsoft.KeyVault(SecretUri=...)' to reference secrets securely.

Not granting the App Service identity access to the Key Vault secrets.

Without permission, the app cannot retrieve the secret and will fail at runtime.

Assign the App Service's managed identity the 'Key Vault Secrets User' role or appropriate access policy.

Using incorrect secret URI format in the Key Vault reference.

The app will not find the secret and fail to start or authenticate.

Use the full secret URI ending with the secret name and optional version, e.g., https://my-keyvault.vault.azure.net/secrets/DbPassword/

Summary

Create a Key Vault and add secrets to store sensitive information securely.

Create an App Service and configure app settings to reference Key Vault secrets using the special syntax.

Verify the app settings to ensure the Key Vault references are correctly set for secure secret retrieval.