Why does not my Web App Service use its User Assigned Managed Identity but the System Assigned one when resolving Key Vault references in app settings?

Jan Kowalik 60 Reputation points

My web app service has a system assigned identity and a user assigned identity. The user assigned one has a key vault secret user role for the service to be able to resolve key vault references in its appsettings.

It does not work. After battling with it and researching endless docs, I can not find the reason. From KeyVault logs I see that the web app service uses the system assigned managed identity to access the key vault and resolve the references.

How can I make it use the managed identity or claim both? How do I choose the right identity for each use? Do I have to choose? Can't it just claim both?

Thanks in advance.

Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
5,629 questions
0 comments No comments
{count} votes

Accepted answer
  1. Ben Gimblett 2,190 Reputation points Microsoft Employee

    Hi @Jan Kowalik

    App Service Key Vault Refs

    By default the App Service will use the system assigned managed identity - if you create a user assigned MSI you need to instruct app service to use that instead, see here https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli#access-vaults-with-a-user-assigned-identity

0 additional answers

Sort by: Most helpful