Binding Azure web application settings to key vault
If you've been following this blog, you will remember that I covered how to manage your secrets during development a few weeks back. And it all started with keeping your secrets out of source control as the first precaution.
Now we also want to have a safer process when hosting web applications on Azure, and thus avoid leaking secrets. So let's say I have a typical scenario as shown in the image below where I need to set an important secret.
Storing secrets in the App Settings is already a step in the right direction, but the above password is available to any person in the team who has access to the app configuration. And with bigger teams, it already starts to sound like a bad idea. Which it absolutely is.
The first suggestion you will be given in this case is to move the secret password into an Azure keyvault. And this is where most developers start scratching their head, because to access the keyvault you need a password. And if you have the keyvault password, you can access the hidden secrets within. So we would not have solved the problem in this way, only just made it more annoying.
The answer lies in using managed identities. Let's try it!
Create a Key Vault inside your favourite resource group by clicking the +Add button.
Search for and choose the Key Vault option.
Then click the Create button.
Next, make sure to give your keyvault a nice name that can help you associate the keyvault with its purpose in the future. The region should be in the same region as the application that is going to access the keyvault. What with latency and all. Finally, the pricing tier gives you an option to store the secrets inside the keyvault using Hardware Security Modules. It's a tradeoff between additional peace of mind and costs.
Feel free to take a look at the other settings, but for this tutorial you can jump to Review + create, and then confirm by clicking the Create button. You may paricularly want to take a look at the extra security given by the networking option, but that's something for another post.
While the vault is being created, let's go back to the web application settings. Just below the app configuration menu, we have the Identity menu. We want to create a System Assigned Managed Identity, so flip the switch to the on position and save.
You will get a prompt to confirm this. So what are we really doing here? In simple terms, we are creating an identity for the web application. An identity is the Active Directory account that the web app will use to log into the keyvault. And the best part is, the Azure platform will handle the account for us. No one will ever know the login details for the web app to access the key vault. It will just work.
So let's do this and click Yes. The keyvault deployment should be ready by now, so let's go there and click on the access policies menu.
You should now have a + Add Access Policy button. Go on, click it!
This is where need to give the app acess to get secrets from the keyvault.
When it comes to selecting the principal, click on the link that says 'None selected', then search for and select the identity we have just created in the previous step. When searching you can use the app name, or the managed identity's object id.
That's it. All we need is those two values and we are good to go.
Once added, we should be able to confirm it looks good right away.
We can move the secret password to the keyvault now. Click on the Secrets menu and + Generate/import.
Then enter the secret.
Once created, you can click on the secret and copy the secret identifier in the details page by clicking on the copy button.
Back in the application settings, replace the previous value with @Microsoft.KeyVault(SecretUri=<secret identifier>). Use the secret identifier you just copied instead of <secret identifier>.
That's it. Once you save your changes, the web app will be restarted. If everything was successful you should see a green checkmark next to the app setting.
If there are any issues, check the error to learn what went wrong. It's very easy to forget saving at any particular point in the process, so if this is the case go back and check that everything is there.
Once the app setting is accepted, also make sure that you check whichever secret you moved into the keyvault is still working as expected or your visitors will be disappointed.