In a previous post I described what Azure Key Vault is and provided some instruction in regards to setting it up and using it. Now we’re going to run through some code examples to see how an application can use a vault.
There is no reason to re-create Microsoft’s excellent documentation that demonstrates an ASP.NET Core application using Key Vault. Since Microsoft is pushing the Managed Identity route and there seems to be less documentation out there on that, let’s go that route.
As noted in the documentation, simply set your Project.cs file to Managed:
#define Managed // Managed // Change to 'Managed' to run the sample in Managed Identity configuration. // For details, see the Azure Key Vault Configuration Provider topic: // https://docs.microsoft.com/aspnet/core/security/key-vault-configuration
You no longer need a Client ID and Secret, remove those from your appsettings.json so that it only contains the “KeyVaultName” parameter.
{ "KeyVaultName": "yourvaultname" }
Publish your App Service to Azure.
Microsoft notes in the documentation that a web app automatically registers itself with the Azure AD tenant:
An app deployed to Azure App Service is automatically registered with Azure AD when the service is created.
https://docs.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-2.2#use-managed-identities-for-azure-resources
This seems to not be the case for me, and for this project I’m working with Visual Studio for Mac; that is probably why. Inadequate permissions in the AAD tenant can also cause this. I needed to manually register my app by mashing the Identity button in the App Service and then flip the switch to On. This generated the identity in AAD. If you want to see the identity, you can use the AAD portal, set your filter to All Applications, then enter the name of your web app as it is displayed in the portal. Partial matches work as long as the search string matches the beginning of the app name.
Alternatively, you can use the Azure Command Line command az ad sp show –id <object id of app>. You can get the Object Id from the Identity blade of the app in the portal.
Once your application is registered, an identity becomes available in Azure RBAC and you can assign it a Key Vault Access Policy. Assign the Identity Get and List secrets via the Access Policy and your app should read the secret values and display them on the page. You can play around with this a bit… create new secret versions with new content, restart the Web App, and refresh the page. The page should show the new secret values.
If you run in to an error when you access the page that looks like this:
HTTP Error 500.30 – ANCM In-Process Start Failure
You should have a look at your Key Vault Firewalls and Virtual Networks settings blade. If you are restricting access to your vault (recommended), you need to ensure you’re allowing the appropriate IP address or, if you are using Service Endpoints, the appropriate Subnet attached to your Virtual Network.