How to setup a Web App with a Docker Compose file and safely use secrets from the Azure key vault.

Question

How to setup a Web App with a Docker Compose file and safely use secrets from the Azure key vault.

Staffan Hedström 25

Hello!

I want to create an Azure Web App with a docker compose file.

The compose file will at least contain a database (mssql) and an ASP.NET app.

The compose file will look something like

version: '3.4'
services:
  db:
    image: mcr.microsoft.com/mssql/server
    environment:
      DB_USER: ${DB_USER}
      DB_PASSWORD: ${DB_PASSWORD}
  api:
    image: myacr-image
    depends_on:
      - db

I am wondering how I can safely set this up and import db_user and db_password from an azure key vault into this docker compose file.

Note: This would be part of our dev environment so we are ok with having the database as docker image here.

Thanks!

Accepted answer

0 additional answers

Your answer

Answer 1

Boris Von Dahle 3,221

Hello,

For your Web App to safely use secret from the key vault, you will need to use a managed identity.

After enabling the managed identity, you'll need to give this identity the necessary permissions on the key vault to get the secrets .

Instead of pulling them from environment variables as is standard in many Docker setups, you should modify your application code to fetch these credentials directly from the Key Vault at runtime using Azure's SDKs, which provide methods to interact with the Key Vault.

Since your application now gets these values from the Key Vault, there's no need to mention them in the Docker Compose file, enhancing your app's security.

Hope this helps

If you found this answer helpful, please consider marking it as accepted so that other users can easily find this topic.

Regards

Staffan Hedström 25 Reputation points

2023-11-14T13:07:13.7333333+00:00
Hi!

Thanks for the great reply.

In the Docker Compose file, for a mssql database from the mcr.microsoft.com/mssql/server image it is a requirement to have the password MSSQL_SA_PASSWORD as an input parameter.

I would gladly load this password from a key vault if possible. Is that possible? If so, how?

Would something like this be possible?

version: '3.4' services: db: image: mcr.microsoft.com/mssql/server environment: ACCEPT_EULA: Y MSSQL_SA_PASSWORD: @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/DB_PASSWORD/) api: image: myacr-image depends_on: - db

Best regards
Boris Von Dahle 3,221 Reputation points

2023-11-15T06:52:44.3766667+00:00
Hello,

In that case, you could use scripting to fetch the secret and export it as environment variable :

az login # Fetch the secret from Azure Key Vault $secret = az keyvault secret show --name DB_PASSWORD --vault-name myvault --query value -o tsv # Set the secret as an environment variable [Environment]::SetEnvironmentVariable("MSSQL_SA_PASSWORD", $secret, "User")

Do not forget to run the fetch secret script before starting the docker-compose to ensure the variable is set.

Regards
Boris Von Dahle 3,221 Reputation points

2023-11-15T07:01:21.9666667+00:00
Hello,

You could use scripting to retrieve the secret from the key vault ad export it to an environment variable like this :

az login # Fetch the secret from Azure Key Vault $secret = az keyvault secret show --name DB_PASSWORD --vault-name myvault --query value -o tsv # Set the secret as an environment variable [Environment]::SetEnvironmentVariable("MSSQL_SA_PASSWORD", $secret, "User")

Then, do not forget to run the script before starting the docker-compose to ensure that the variable is set.

This avoid hadcoded data in the docker file and get the secret securely at runtime.

Remember to handle the security context and permissions carefully especially if using CI/CD pipelines or in production.

Hope this helps. If it did please mark the answer above as accepted so others with same questions can find this topic.

Have a nice day
Staffan Hedström 25 Reputation points

2023-11-16T09:48:16.03+00:00

Right, but how do I do something like that in the the Azure Web App setup?

Would I go through the setup. Input the Docker Compose file that has ${...} references to the expected environment variables and then set them up in the Web App under the Configuration section?
Boris Von Dahle 3,221 Reputation points

2023-11-16T12:06:34.8733333+00:00

Yes exactly.

Under configuration, add an application setting with the name MSSQL_SA_PASSWORD and set its value to the actual password you want to use.

These settings will be available as environment variables to your application.

The Docker Compose engine will replace ${MSSQL_SA_PASSWORD} with the actual password you've set in the application settings. This value can be fetched from Azure Key Vault manually, or you can automate this using Azure Key Vault references or Azure DevOps pipelines.

For the Azure Key vault reference you can set it up like you mention earlier if your plan support it : @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/DB_PASSWORD/)

Regards

Share via

How to setup a Web App with a Docker Compose file and safely use secrets from the Azure key vault.

0 additional answers

Your answer