Cannot communicate with Key Vault from Static Web App

Question

Cannot communicate with Key Vault from Static Web App

dotnet_guy 15

Hello,

We currently have a static web app using a private endpoint and have an app setting with the recommended KV setting, but get an error message

'Client address is not authorized and caller is not a trusted service...'

And the IP address is not related to private endpoint in static web app. Is there a secure way for static web app to talk to KV? We are using Standard tier.

I am using the client_id and secret from Azure app registration in the staticwebapp.config.json auth{} section for authenticating swa using Entra.
https://learn.microsoft.com/en-us/azure/static-web-apps/authentication-custom?tabs=aad%2Cinvitations#microsoft-entra-version-2

And if I directly use the id and secret in the app_setting on Azure, swa works but not with KV reference
https://learn.microsoft.com/en-us/azure/static-web-apps/key-vault-secrets

Please let me know if I am missing something. I see a few issues in SWA GitHub, not sure if this is still an issue

Obinna Ejidike 2,455 Reputation points

2025-07-01T08:01:55.1033333+00:00

Hi dotnet_guy

Thanks for using the Q&A platform.

The error suggests that your client IP address is not authorized. This typically happens because you’re attempting to access Key Vault via its public endpoint, which is likely blocked by a firewall, or Azure services like Static Web Apps are not included in the “trusted services” list.

To try isolating the issue, kindly update your settings to VNet integrations and grant access to traffic from specific Azure virtual networks and public internet IP address ranges.

Kindly find: https://learn.microsoft.com/en-us/azure/key-vault/general/network-security

Also, you’re currently using auth{} with client ID/secret, which doesn't align with the Static Web App's managed identity Key Vault integration https://learn.microsoft.com/en-us/azure/static-web-apps/key-vault-secrets

I will recommend using a system-assigned identity in your static web app and ensuring you grant all required access.

If the response was helpful, please feel free to mark it as “Accepted Answer” and consider giving it an upvote. This also benefits others in the community.

Regards,

Obinna.
dotnet_guy 15 Reputation points

2025-07-01T12:54:06.9733333+00:00

Hello,

We have added the pe in Networking and looks like the incoming IP is public and I think there are a set of IP ranges for swa and giving access to any public IP or IP range is not very secure.

We are currently using system assigned identity on swa and added KV policy as well from the article

1 answer

Your answer

Obinna Ejidike 2,455 Reputation points

2025-07-01T08:01:55.1033333+00:00

Hi dotnet_guy

Thanks for using the Q&A platform.

The error suggests that your client IP address is not authorized. This typically happens because you’re attempting to access Key Vault via its public endpoint, which is likely blocked by a firewall, or Azure services like Static Web Apps are not included in the “trusted services” list.

To try isolating the issue, kindly update your settings to VNet integrations and grant access to traffic from specific Azure virtual networks and public internet IP address ranges.

Kindly find: https://learn.microsoft.com/en-us/azure/key-vault/general/network-security

Also, you’re currently using auth{} with client ID/secret, which doesn't align with the Static Web App's managed identity Key Vault integration https://learn.microsoft.com/en-us/azure/static-web-apps/key-vault-secrets

I will recommend using a system-assigned identity in your static web app and ensuring you grant all required access.

If the response was helpful, please feel free to mark it as “Accepted Answer” and consider giving it an upvote. This also benefits others in the community.

Regards,

Obinna.
dotnet_guy 15 Reputation points

2025-07-01T12:54:06.9733333+00:00

Hello,

We have added the pe in Networking and looks like the incoming IP is public and I think there are a set of IP ranges for swa and giving access to any public IP or IP range is not very secure.

We are currently using system assigned identity on swa and added KV policy as well from the article

Answer 1

Hello dotnet_guy

Unfortunately, static web apps do not support the vNet integration feature, so all traffic from your static web app is going via the internet.

Private endpoints are for inbound traffic to the static web app, so by enabling private endpoints, you allow resources on your vNet to be able to talk to your static web app; this does not allow for the opposite, for your static web app to talk to resources on the vNet.

This explains why I suggested using a selected virtual network on the key vault, which would allow you to specify IP ranges that need to securely connect to the Azure Key Vault.

You can mark it 'Accept Answer' and 'Upvote' if this helped you.

Regards,

Obinna.

Share via

Cannot communicate with Key Vault from Static Web App

1 answer

Your answer