Menu

Storing Azure App Service secrets on Azure Key Vault

Storing Azure App Service secrets on Azure Key Vault

Today I'm going to show how to store Azure App Service configuration secrets on Azure Key Vault. In this example, I'm going to use a DNN Platform based website deployed on Azure App Service using a SQL Database, storing the SQL database connection string in Azure Key Vault. I won't change the application codebase to access the Azure Key Vault in any way. We Will take advantage of the App Service managed identity feature to automatically retrieve the Key Vault secrets.

Provision the Azure Key Vault

  1. Provision the Azure Key Vault

    create-azure-key-vault

     

  2. For this demo, we will change the permissions model to the new Azure role-based access control (RBAC). It's currently in Preview.

    access-policy-azure-keyvault

  3. Depending on your deployment, change the Networking as desired. For this demo we will leave it as Public endpoint to match the App Service configuration

    creating-azure-key-vault

  4. Click on the Review + Create button to start the deployment
  5. Once created, add yourself to the role "Key Vault Administrator (Preview)" via the Access Control (IAM). Now you can start managing secrets.

    add-role-assigment-azure-key-vault

Add the Connection String to the Key Vault secrets

  1. Add a new secret to the Key Vault

    adding-connection-string-to-key-vault-secrets

  2. Specify the secret of type "Manual", give it a name and set the value to the current SQL Database connection string stored in the Application web.config

    creating-secret-key-vault

  3. Click on Create. Once created, click on the secret to see the secret details, and then click again on the current version
  4. Next to the Secret Identifier, click on the copy to the clipboard button

    secret-identifier-azure-key-vault

     

backup-cloud

Add the secret identifier reference to the Azure App Service Settings

  1. Open the App Service configuration settings, and add a new Connection String setting
  2. Type the name of the connection string ("SiteSqlServer" for DNN Platform) and set the value "@Microsoft.KeyVault(SecretUri=VALUE_FROM_CLIPBOARD)", where the VALUE_FROM_CLIPBOARD is the one from step 4 in previous section.
  3. Click on Save to save the app settings

    sqlserverconfiguration

     

Allow the App Service to access the Key Vault

  1. On the App Service again, click on Identity to enable the System Assigned identity.
  2. Click on save after turning "On" the status

    appservice-azure-key-vault

  3. Click on the "Role Assignments" button and then click on the "Add role assigment (Preview)"

    azure-role-assignments

  4. In the role assignment, choose scope "Key Vault", subscription the subscription where you created the Key Vault on previous steps and the name of the Key Vault resource. For the role just select "Key Vault Secrets User (preview)"

    add-role-assignment-key-vault

  5. Finally go to the web.config file of your DNN Platform website and clear the connection string contents.

    webconfigfile-dnn

  6. Visit the website and check that loads successfully. Now the connection string is safely stored in the Azure Key Vault, and it's no longer stored on the file system.

 

Known issues

  1. ERROR: You get an error "Keyword not supported: '@microsoft.keyvault(secreturi'". I have experienced that the RBAC permissions can take a one or two minutes to be applied, so try after a few minutes. Also try restarting the application thought the App Service portal so nothing is cached.

    known issues-azure-key-vault

  2. When checking the DNN log4net logs, you see lot of errors from a process trying to initialize a database connection with an invalid connection string during the DNN initialization process. This error is currently happening on versions 9.7.2 or earlier with a pending pull request to fix it https://github.com/dnnsoftware/Dnn.Platform/issues/4227
  3. IMPORTANT: If you plan to use the Azure App Service Backup feature, don't use this method to store SQL Database connection strings in Azure Key Vault, since the App Service backup feature doesn't support them https://stackoverflow.com/questions/56101504/backingup-azure-webapp-when-connection-string-is-injected-through-keyvault 

Hope this helps!

Categorías

Posts relacionados
Escalado automático en Azure: qué es, cómo implementarlo y beneficios que nos ofrece
Publicado por Carolina César Piepenburg  |  03 abril 2024

Examinaremos en las herramientas específicas de Azure que permiten el escalado automático, cómo se realiza en cada una de ellas y los beneficios que nos aportan.

Leer más
Cómo desarrollar modelos de IA en menos tiempo
Publicado por Carolina César Piepenburg  |  05 enero 2024

Descubre cómo crear modelos de inteligencia artificial en menos tiempo con Azure Cloud Platform y Azure Machine Learning

Leer más
HTAP y Azure SQL para el ahorro de costos en la gestión energética
Publicado por Intelequia  |  02 junio 2022

HTAP y Azure SQL permiten ofrecer a los proveedores energéticos una solución para el análisis y administración de redes eléctricas inteligentes.

Leer más