“Key vault reference error” in azure web app configuration setting

0
votes

I have a private certificate that was generated by azure for a web app for linux containers. I want to pass this value to my .net core app via the web app configuration settings in the the azure portal. This is part of a pipeline CI-CD process and the ability to specify Identity Server key values in app configuration helps to keep those values out of the source code.

PROBLEM

I keep getting the following error by the setting

❌Key vault Reference

also shown here: enter image description here

I am trying to use the secret value in the format suggested by the microsoft docs here I have tried the following formats:

@Microsoft.KeyVault(https://myvault.vault.azure.net/secrets/myCertName/versionGUID)

@Microsoft.KeyVault(VaultName=myvault;SecretName=myCertName;SecretVersion=versionGUID)

ALSO, I have added the web app to the access policies of the azure key vault

EDIT 1:

There was a format error and I had the wrong secret name so the following format worked:

@Microsoft.KeyVault(https://myvault.vault.azure.net/secrets/myCertName/versionGUID)

However I ran into a new error:

Key Vault reference was not able to be resolved because site Managed Identity not enabled MSINotEnabled

SO I went to the identity tab of the web app and turned on managed identity for the app.

I am now stuck with the following error:

Key Vault reference was not able to be resolved because site was denied access to Key Vault reference's vault.

I found multiple sites that said if you just deleted the setting, saved, and then add the setting back it should resolve. This DID NOT work for me.

I also tried granting "Full access" to the web app in the azure key vault access policies.

2
azuressl-certificateidentityserver4azure-keyvaultazure-webapps

2 Answers

1
votes

Firstly, the reference format @Microsoft.KeyVault(https://myvault.vault.azure.net/secrets/myCertName/versionGUID) is wrong, it should be @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/myCertName/versionGUID).

Secondly, I don't think you granted the permission for the MSI of your web app correctly.

From the description in your original post:

ALSO, I have added the web app to the access policies of the azure key vault

Then in your EDIT 1:

SO I went to the identity tab of the web app and turned on managed identity for the app.

Obviously the order is wrong, if you didn't enable the MSI of the app before, how you add it to the access policy? I suppose you may added the wrong one.

So in your case, make sure you have added the MSI of the web app to the access policy correctly.

1.Navigate to the web app -> Identity -> copy the Object ID(also make sure you are using system-assigned MSI, the user-assigned MSI is not supported in keyvault reference feature)

enter image description here

2.Then in the Access policies of the keyvault -> Add Access Policy -> seacrh for the Object ID in step 1 and add it with the Get Secret permission like below -> select and save.

enter image description here

3.Navigate to the app and check it, it works fine.

enter image description here

1
votes

Your app should be able to reach the Key Vault to resolve a reference successfully. If everything else, e.g., access policies and syntax, appears to be in order and yet your references don't resolve, try checking if your Key Vault has any network restriction.

If you see the warning related to the 'network access control' on your Vault's Access policies settings page, you need to allow your app's IP through the Key Vault firewall.

Azure Key Vault: Network restrictions warning

Add your app’s IP (available under Custom domains) to your Key Vault’s firewall (under Networking).

Azure Key Vault: Allow IP through the Firewall

Reference: https://medium.com/geekculture/troubleshooting-azure-key-vault-references-in-azure-function-apps-b228c1216f63