Azure App Config, Key Vault & Managed Service Identity (.NET Core 3.1)

2
votes

I have a simple app service set up to use/test Azure App Configuration

  • The Azure App Config contains 2 non-KeyVault entries, and 1 entry which is a Key Vault reference
  • The Key Vault is set up with the proper Access Policy, allowing Get/List of Secrets to the Managed Service Identity of the Azure App Config

I've followed the sample application, so the CreateHostBuilder looks like:

public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
{
    var settings = config.Build();
    config.AddAzureAppConfiguration(settings["ConnectionStrings:AppConfig"]);
})
.UseStartup<Startup>());

When deploying/running the app, the behavior is successful when there are no Azure App Config entries which point to KeyVault.

When I add an entry in Azure App Config which points to KeyVault, the app will not start (HTTP Error 500.30 - ANCM In-Process Start Failure), the logs are showing this exception:

Exception Info: Microsoft.Extensions.Configuration.AzureAppConfiguration.KeyVaultReferenceException: No key vault credential configured and no matching secret client could be found.. ErrorCode:, Key:TestConnectionString, Label:, Etag:6ezsqW96CsAet7Ym5H4DedsLTkI, SecretIdentifier:https://testkeyvault.vault.azure.net/secrets/TestSecret ---> System.UnauthorizedAccessException: No key vault credential configured and no matching secret client could be found.

It seems obvious that something isn't secured correctly, but I've checked many times and the Key Vault has an access policy granting Get/List of Secrets to the Azure App Config identity.

I've also tried the ConfigureKeyVault option in the host builder, i.e. 

public static IHostBuilder CreateHostBuilder(string[] args) =>
    Host.CreateDefaultBuilder(args)
    .ConfigureWebHostDefaults(webBuilder =>
    webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
    {
        var settings = config.Build();

        config.AddAzureAppConfiguration(options =>
        {
            options.Connect(settings["ConnectionStrings:AppConfig"])
                    .ConfigureKeyVault(kv =>
                    {
                        kv.SetCredential(new DefaultAzureCredential());
                    });
        });
    })
    .UseStartup<Startup>());

Is the Access Policy on the Key Vault granting Get/List of Secrets to the Azure App Config identity all that needs to be done, or have I missed something? (I've also tried granting an Access Policy to the app service, no luck).

1
azureazure-web-app-serviceazure-keyvaultazure-app-configuration
Can you give your app system identity the ability to "create" secrets?LMG

1 Answers

7
votes

For key vault references, the application needs to set up authentication to both App Configuration and Key Vault. The two services don't communicate directly, so App Configuration does not need to any access permissions to the Key Vault. The code snippet with the usage of ConfigureKeyVault is correct. It specifies DefaultAzureCredential to be used to authenticate to Key Vault in order to resolve key vault references.

In order to allow your application hosted in Azure App Service to be able to access secrets from Key Vault, you can enable managed identity on the App Service and grant it GET and LIST permissions in Key Vault.

For the development environment, these instructions can be used to create a service principal, grant permissions and set up appropriate environment variables to be used by the DefaultAzureCredential.