Azure DevOps - ARM deployment - Key Vault and Managed Identities

1
votes

I am seeking some clarity on the best way to integrate Key Vault in ARM deployments within Azure DevOps.

For example, deploying an App Service and creating a Managed Service Identity so that it can get secrets from the key vault for a pre-existing Database.

1) In the Azure portal, I have manually created a new Service Principal for the App service with "Get" and "List" permissions in the access policy.

2) In My DevOps Project under the project settings I have created a service connection.

3) I have created a Variable group in DevOps with relevant Key Vault Secrets.

4) In my App Service ARM template i have referenced the Service Identity with reference to the Variable Parameters.

Is this the correct way to integrate Key Vault with a DevOps Deployment?

Whenever I need to deploy a new service to the environment (say now I want to deploy an API), do I need to manually create another Managed Identity in Azure for the Key Vault Access or is there a way to create it as part of the initial deployment of the API service?

Thank you in advance for your assistance.

1
azureazure-devopsazure-keyvault
So you dont need to create a service princpal directly: you can create a user assign identity or create a system assigned identity. really up to youThomas

1 Answers

3
votes

If you are using MSI it is recommend to set this in the ARM template by putting

  "identity": {
    "type": "SystemAssigned"
  },

In defining the app service. This will recreate the MSI with every deployment. It will be named the same but will have a different thumbprint in AD after each deployment. For purposes with Key Vault this is perfectly fine.

Within your Key Vault ARM template (if it's not all in the same template) The access policy can reference the MSI by:

  "tenantID": "[subscription().tenantId]",
        "objectId": "[reference(resourceId('Microsoft.Web/sites', INSERT APP SERVICE NAME), '2018-02-01', 'Full').identity.principalId]",

This will reference the ID being created by the App Service deployment.

If using this be sure to have the App Service config depend on the Key Vault and secrets (if referencing secrets in the ARM template), the Access Policy depends on the Key Vault and App Service creation, and any secret being created set to depend on the Key Vault as well to ensure assignments happen in the right order.