How to reference Key Vault connection strings from an Azure App Service

If we have a connection string defined in our appsettings.json file we can have our App Services override this by using a connection string defined in Azure Key Vault instead WITHOUT changes to our code.

This is pretty cool and the steps below show how its done…

Create a Managed Identity for your App Service so Key Vault can grant access

In order to read secrets from a Key Vault we need to have the correct permissions. The first step in this is to create a Managed Identity.

Managed Identities allow us to provide an identity for our Azure resources. Other resources can then use this identity to grant our resource access to its services.

To create a Managed Identity go to your App Service and open the identity page and turn the Status button On as shown below…

How to add a Managed Identity for an App Service

Copy the Object ID which has appeared on the page, we’ll need this for the next step.

Note… there are two types of Managed Identities; system assigned and user assigned. Currently only system assigned identities can support key vault references.

Add a Key Vault Access Policy for your App Service Identity

Next we need to go to our Key Vault and grant the previously created identity permission to GET/READ secrets.

First go to the Access polices page in your Key Vault and click ‘+ Add Access Policy‘ as shown below…

Key Vault Access Policies page

… then add the policy as shown below. Connection Strings are stored as secrets and we only need permissions to read them so we will only set one permission.

In the Select principal field, select your app (the easiest way is to just paste in the Object ID from the previous step).

Adding a key Vault Access Policy

After you add the policy you will be brought back to the main Access policies page and should see your App Service listed under ‘Current Access Policies’.

Add the connection string as a secret to your Key Vault

Now we move onto actually adding the connection string to the key vault. You’ve probably already done this so skip ahead if you have.

First add the connection string as shown below. The Value of the secret will be your connection string.

add-a-secret

Then after it’s created navigate back into the current version of your secret (there will only be one as you’ve just created it) and copy the URL reference. We will use this in the next step.

Get secret reference

Add a reference to the secret from App Service connection strings configuration

The final step is to add a new connection string from the Configuration page of our App Service. Connection strings which are defined here will override those of the same name defined in the appsettings.json file.

When using a key vault reference the syntax is:

@Microsoft.KeyVault(SecretUri=https://KEYVAULTNAME.vault.azure.net/secrets/SECRETNAME/SECRETVERSION)

The secret version is optional. If you do not include it Azure will use the current version. Remember… every time you change the value of a secret Azure creates a new version.

When on the App Service -> Settings -> Configuration screen click ‘New connection string‘ and a popup similar to below will show. In this example I’m referencing a specific version of the secret created above (DavidsDB) and I’m setting the name of the connection string to be AdventureWorks as this is what my app references in its Startup.cs file.

After you’ve added the connection string you should see it listed in the connection strings section…

Connection String listing

If everything is in order from an access point of view you’ll see a green checkbox in the source column. If you see a red cross, revisit the Key Vault Access Policy step above.

Finally… test the new connection

Now visit your App Service to test the new connection… if your appsettings.json connection string and your key vault connection string are the same put a dummy edit into your key vault one to a non existing server to be sure your app is reading from the vault.

Viewing Azure App Service web server and application logs in real time on the Azure Portal

The ability to view application and web server logs in real time for an App Service in the Azure portal is a really sweet feature. I find it very helpful for debugging and it’s really easy to use too.

First make sure you have logging enabled

Enable logging for an Azure App Service

and then visit the Monitoring -> Log stream page as shown below (click for a larger view in a new window).

Azure App Service Log Streaming

Give it a second or two to connect and then visit a few of your App Service pages and you should see entries start to appear.

The application logs appear straight away, however the server logs can often take 30-60 seconds to appear, so not quite real time but this could be related to the fact I’m on the free tier.

Unfortunately the radio buttons at the top of the page to filter by application logs or web server logs don’t appear to be working and everything just appears together when ‘Application logs’ is selected and both forms of logging are enabled. This is no big deal and I’m sure this will be fixed soon, in the meantime you can always temporarily turn off one form of logging to display only the other while debugging.

Override appsettings.json connection strings by setting them directly in the portal when using Azure App Service

If an app you’re going to deploy as an App Service in Azure has a connection string defined in appsettings.json like below….

appsettings.json

and you want to override this value when you deploy to Azure, you can do this easily from the configuration section of your App Service in the Azure portal as seen below (click for a larger view in a new window).

Make sure the name matches the name of your connection string in your appsettings.json file. Don’t forget to save afterwards.

Adding connection strings in App Service configuration settings

How to download Azure App Service web server and application log files direct from the Azure portal

If you want to download your App Service web server and application log files in the Azure portal you can do this by using the Kudo console.

To open the Kudo console go to your App Service and click on the Development Tools -> Advanced Tools link as shown below…

Open Kudo

In Kudo click Debug console -> CMD and then using the folder view at the top of the page navigate to the LogFiles folder. From here you’ll see a number of log folders including Application and http.

Download logs from Kudo

Turning on logging for your App Service

If there are no logs in the log folders you might not have logging turned on or might not be logging to the file system. To do this go to the App Service logs page of your App Service and turn on the logging you desire as shown below…

How to enable App Service Logging