Azure key vault - add access policy for deployment slot

7
votes

I have an app with 2 slots. I have stored connection strings in the key vault. I have enabled MSI on the app and 2 slots. Also, within the vault's access policy, I have added the app (production slot). However I am not able to add the slots to the access policy. E.g. My app's name is XYZ20180706 and the slots are XYZ20180706/dev and XYZ20180706/test. But when I type in XYZ20180706/dev or XYZ20180706-dev in the service principal, it is not found.

How do I create an access policy for a deployment slot?

Just having it enabled on the main slot is not enough. I currently get access denied (to vault) if I deploy the app to the dev slot and run it.

Thanks.

2
azureazure-keyvaultazure-deploymentazure-deployment-slots

2 Answers

12
votes

AFAIK, we could access it after enabling MSI for deployment slot, you could check my test steps.

1.I have two slots, then I enable MSI of both of them in the portal.

enter image description here

enter image description here

  1. You could check them in the Azure Active Directory -> Enterprise applications in the portal, refer to the screenshot.

    Note: You should specify the Application Type option with All Applications when you are searching.

enter image description here

3.Add Add access policy in the azure keyvault, you could find the slots in the principle (hover your cursor over it).

enter image description here

4
votes

On the key vault "Add access policy" section (printsceen 3 from Joy Wang), when you selecting the principal type this: YourWebAppName/slots/YourDeploymentSlotName

After you type the entire string the autocomplete check will be green and you can select the principal from the list.