access azure key vault from azure web app where ip changes often bc of CI/CD

Huhn, Alexander 95 Reputation points
2023-02-01T17:38:38.3933333+00:00

I have a docker container that accesses azure key vault. this works when I run it locally.

I set up an azure web app to host my container, and it cannot access the key vault

User's image

I followed the suggestion from https://www.youtube.com/watch?v=QIXbyInGXd8 and I went to the web app in the portal to set status to on

User's image

Created an access policy

User's image

and then receive the same error with a different ip

User's image

My web app ip address would change every time an update were made, so are there any suggestions how to overcome this?

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,874 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Andriy Bilous 10,901 Reputation points MVP
    2023-02-02T11:42:42.9233333+00:00

    Hello @Huhn, Alexander

    The error "Client address is not authorized and caller is not a trusted service in Azure" shows that your client IP address is not authorized.

    In Azure KeyVault Settings you can allow access to KeyVault from "All networks" and not "Selected networks"

    Azure > Keyvault > Networking Settings

    If you really need to limit access to KeyVault from Azure App Service, integrate Azure App Service into Virtual network and link KeyVault using Service or Private Endpoint.
    https://learn.microsoft.com/en-us/azure/key-vault/general/private-link-service?tabs=portal
    https://learn.microsoft.com/en-us/azure/key-vault/general/overview-vnet-service-endpoints

    https://stackoverflow.com/questions/52985252/client-address-is-not-authorized-and-caller-is-not-a-trusted-service-in-azure

    0 comments
  2. SnehaAgrawal-MSFT 18,286 Reputation points
    2023-02-02T15:16:29.0033333+00:00

    You can grant access to trusted Azure services by configuring networking settings. For step-by-step guidance, see the networking configuration options of this article.

    When you grant access to trusted Azure services, you grant the following types of access:

    • Trusted access for select operations to resources that are registered in your subscription.
    • Trusted access to resources based on a managed identity.
    • Trusted access across tenants using a Federated Identity Credential

    See here: step-by-step instructions to configure Key Vault firewall and virtual networks by using the Azure portal, Azure CLI and Azure PowerShell

    0 comments
  3. Huhn, Alexander 95 Reputation points
    2023-02-06T13:43:03.31+00:00

    While working through this issue, I determined that 5 specific IP addresses were being used while the final product was launched.

    I whitelisted these 5 addresses, and it fixed the issue.

    0 comments