0
0
AzureHow-ToBeginner · 4 min read

How to Use Azure Key Vault with App Service Securely

To use Azure Key Vault with Azure App Service, enable the Managed Identity on your App Service and grant it access to the Key Vault. Then, configure your app to fetch secrets from the Key Vault using the identity without storing secrets in code or config files.
📐

Syntax

Here is the basic pattern to connect an Azure App Service to Azure Key Vault:

  • Enable Managed Identity: Turn on the system-assigned managed identity for your App Service.
  • Set Access Policy: In Key Vault, grant the App Service's managed identity Get permission for secrets.
  • Reference Secrets: Use Key Vault references in your App Service application settings or fetch secrets programmatically using Azure SDK.
bash
az webapp identity assign --name <app-service-name> --resource-group <resource-group>
az keyvault set-policy --name <keyvault-name> --object-id <app-service-principal-object-id> --secret-permissions get

# Example App Setting to reference secret
KEY_VAULT_SECRET=@Microsoft.KeyVault(SecretUri=https://<keyvault-name>.vault.azure.net/secrets/<secret-name>/<secret-version>)
💻

Example

This example shows how to enable managed identity on an App Service, grant it access to Key Vault, and reference a secret in app settings.

bash
az group create --name MyResourceGroup --location eastus
az keyvault create --name MyKeyVault12345 --resource-group MyResourceGroup --location eastus
az keyvault secret set --vault-name MyKeyVault12345 --name MySecret --value "MySecretValue"
az appservice plan create --name MyPlan --resource-group MyResourceGroup --sku B1 --is-linux false
az webapp create --resource-group MyResourceGroup --plan MyPlan --name MyAppService12345 --runtime "DOTNETCORE|6.0"
az webapp identity assign --name MyAppService12345 --resource-group MyResourceGroup

# Get the principal object id of the managed identity
APP_IDENTITY_OBJECT_ID=$(az webapp show --name MyAppService12345 --resource-group MyResourceGroup --query identity.principalId -o tsv)

# Grant access to Key Vault
az keyvault set-policy --name MyKeyVault12345 --object-id $APP_IDENTITY_OBJECT_ID --secret-permissions get

# Set app setting to reference the secret
az webapp config appsettings set --name MyAppService12345 --resource-group MyResourceGroup --settings 
"MySecretSetting=@Microsoft.KeyVault(SecretUri=https://MyKeyVault12345.vault.azure.net/secrets/MySecret)"
Output
Resource group 'MyResourceGroup' created. Key Vault 'MyKeyVault12345' created. Secret 'MySecret' set. App Service plan 'MyPlan' created. App Service 'MyAppService12345' created. Managed identity assigned with principal ID: <object-id> Access policy set for Key Vault. App setting 'MySecretSetting' configured with Key Vault reference.
⚠️

Common Pitfalls

  • Not enabling Managed Identity: Without it, App Service cannot authenticate to Key Vault securely.
  • Missing Access Policy: The App Service's identity must have Get permission on secrets in Key Vault.
  • Incorrect Secret URI: The secret URI must be exact and include the vault name and secret name.
  • Using connection strings or secrets in code: Always use Key Vault references or SDK calls to avoid hardcoding secrets.
bash
## Wrong: Hardcoding secret in app settings
az webapp config appsettings set --name MyAppService12345 --resource-group MyResourceGroup --settings "MySecretSetting=MySecretValue"

## Right: Use Key Vault reference
az webapp config appsettings set --name MyAppService12345 --resource-group MyResourceGroup --settings 
"MySecretSetting=@Microsoft.KeyVault(SecretUri=https://MyKeyVault12345.vault.azure.net/secrets/MySecret)"
📊

Quick Reference

Summary tips for using Azure Key Vault with App Service:

  • Always enable system-assigned managed identity on your App Service.
  • Grant only Get permission on secrets to the App Service identity.
  • Use Key Vault references in app settings for automatic secret injection.
  • Test access by retrieving secrets programmatically or via app settings.

Key Takeaways

Enable managed identity on your App Service to authenticate securely with Key Vault.
Grant the App Service identity 'Get' permission on Key Vault secrets via access policies.
Use Key Vault references in App Service app settings to avoid hardcoding secrets.
Always verify the secret URI is correct and includes vault and secret names.
Avoid storing secrets in code or config files; rely on Key Vault for secret management.

Related by keyword

Azure App Service vs VM: Key Differences and When to Use EachApp ServiceHow to Deploy an App to Azure App Service QuicklyApp ServiceAzure Functions vs App Service: Key Differences and When to Use EachAzure FunctionsAzure App Service vs Container Apps: Key Differences and When to UseApp ServiceHow to Configure App Settings in Azure App ServiceApp Service

Up next

What is Azure Monitor: Overview and UsageWhat is Log Analytics in Azure: Overview and Use CasesAzure Service Bus vs AWS SQS: Key Differences and When to Use EachAzure Event Grid vs Event Hub vs Service Bus: Key Differences & Use Cases

More in Security

How to Access Secret from Azure Key Vault EasilyHow to Create Key Vault in Azure: Step-by-Step GuideHow to Encrypt Data in Azure: Simple Steps and ExamplesHow to Store Secret in Azure Key Vault Securely