How can I have Azure App Service environment variables override key vault secrets?

Question

Hi all;

If I define a string in both the Key Vault and the Azure App Service environment variables, the app will read the Key Vault entry.

Is there a way to have it read the App Service value if set?

thanks - dave

Answer

Hi Dave,

Each environment variable must have a unique name, so either the variable will be sourced from key vault via reference or app service, depending on how you set it. Based on this I'm unsure what you are asking.

You could of course build your own abstraction that would do what you want. For example, you could have code that would check for existence of VARIABLENAME_OVERRIDE and if it exists use that instead of the default behavior.

-TP

Answer

The order of precedence of config providers is the opposite order of adding. That is the last one wins. To control the order, you need to manually add the providers in the order you want rather than the default.

https://learn.microsoft.com/en-us/aspnet/core/fundamentals/configuration/?view=aspnetcore-8.0

Answer

instead of using the default, add the configuration providers in your code.

// defaults
var builder = WebApplication.CreateBuilder(args);

// remove config sources
builder.Configuration.Sources.Clear();

// add config providers in order you want:
builder.Configuration.AddEnvironmentVariables();
...

Share via

How can I have Azure App Service environment variables override key vault secrets?

3 answers