Why does not my Web App Service use its User Assigned Managed Identity but the System Assigned one when resolving Key Vault references in app settings?

Question

Why does not my Web App Service use its User Assigned Managed Identity but the System Assigned one when resolving Key Vault references in app settings?

Jan Kowalik 60

My web app service has a system assigned identity and a user assigned identity. The user assigned one has a key vault secret user role for the service to be able to resolve key vault references in its appsettings.

It does not work. After battling with it and researching endless docs, I can not find the reason. From KeyVault logs I see that the web app service uses the system assigned managed identity to access the key vault and resolve the references.

How can I make it use the managed identity or claim both? How do I choose the right identity for each use? Do I have to choose? Can't it just claim both?

Thanks in advance.

Answer 1

Ben Gimblett 2,190 Microsoft Employee

Hi @Jan Kowalik

App Service Key Vault Refs

By default the App Service will use the system assigned managed identity - if you create a user assigned MSI you need to instruct app service to use that instead, see here https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli#access-vaults-with-a-user-assigned-identity

Jan Kowalik 60 Reputation points

2023-09-15T14:19:15.3466667+00:00

Thank you!

I must have missed it thinking that if I assign an identity via the portal it will not require executing anything on the command line. It works now.

Why does not my Web App Service use its User Assigned Managed Identity but the System Assigned one when resolving Key Vault references in app settings?

0 additional answers

Activity