Webapp configuration: how to provide reference to key stored in a keyVault

Vincent Coucharriere 1 Reputation point
2022-06-15T14:44:04.747+00:00

Hi,

In an Azure web app conf, I succeeded in providing a reference to a secret from a KeyVault
Example :
@Microsoft.KeyVault(SecretUri=https://...mykeyvault.vault.azure.net/secrets/MYSECRETNAME/ff7779aef85b46e2xxxxxxxxxxxx)

But I failed to do the same for a key (and not a secret)
Example :
@Microsoft.KeyVault(SecretUri=https://...mykeyvault.vault.azure.net/keys/TESTMYKEY/1080820e517747629ce1xxxxxxxxx)
It does not work !

Error msg : Key Vault Reference Details

Vault Name
...mydevkeyvault

Secret Name
TESTMYKEY

Secret Version
1080820e517747629ce1b96e3a0a6d42

Identity
System assigned managed identity

Status
SecretNotFound

Error Details
Key Vault reference was not able to be resolved because Key Vault reference contains invalid Key Vault secret name that can't be found.

Access policy are set to allow "Get" access.

Could you please help me to figure out what is wrong and how to fix it ?
In advance, thx for your help,
Regards

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,126 questions
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
6,916 questions

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Udaiappa Ramachandran 726 Reputation points MVP
    2022-06-16T01:49:47.52+00:00

    Hello @Vincent Coucharriere
    Please make sure to follow the steps below (total of 8 steps)

    1. Enable Identity from your Azure Web App, and copy the value of the identity, you need this in step#3
    2. Go to the Key vault and create a secret with value
    3. From the key vault Click "Access Policies" Add Access Policy" then select at least "Get" from the secret permissions
    4. From the Select principal click "none selected" from the search box paste the GUID copied from step #1 then select and then Add
    5. Make sure to click "Save", lots of people miss this step
      211806-image.png
    6. go to your web app and add the app settings key
      211799-image.png
    7. from the step#3 if you granted "List" permission then you don't need to provide the version part it can be something like @Microsoft.KeyVault(SecretUri=https://[KVNAME].vault.azure.net/secrets/[SECRETNAME]), please note no version is here. in this case, it will always use the latest version, which is preferred if you change the value frequently
    1 person found this answer helpful.
  2. Ryan Hill 25,981 Reputation points Microsoft Employee
    2022-06-15T20:53:23.607+00:00

    You can use @Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret) syntax. I did run into a similar issue but instead of the secret, the vault name wasn't resolved. However, deleting the access policy and recreating it resolved the issue for me. Try that and let me know if that works.

    ---
    EDIT: 2022 Jun 6 For keys, I couldn't find any supported syntax for retrieving keys. In order to retrieve keys in your app, you still need to have the access policies but you would need to use the Azure SDK on whatever platform your app is running. For example, you could have https://<vault-name>.vaul.azure.net be an Application Setting and if your app was .NET 

       var keyVaultEndPoint = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");  
     
   var client = new KeyClient(new Uri(keyVaultEndPoint), new DefaultAzureCredential());  
   var key = await client.GetKeyAsync("ExampleKey");