How to reference Key Vault connection strings from an Azure App Service

If we have a connection string defined in our appsettings.json file we can have our App Services override this by using a connection string defined in Azure Key Vault instead WITHOUT changes to our code.

This is pretty cool and the steps below show how its done…

Create a Managed Identity for your App Service so Key Vault can grant access

In order to read secrets from a Key Vault we need to have the correct permissions. The first step in this is to create a Managed Identity.

Managed Identities allow us to provide an identity for our Azure resources. Other resources can then use this identity to grant our resource access to its services.

To create a Managed Identity go to your App Service and open the identity page and turn the Status button On as shown below…

How to add a Managed Identity for an App Service

Copy the Object ID which has appeared on the page, we’ll need this for the next step.

Note… there are two types of Managed Identities; system assigned and user assigned. Currently only system assigned identities can support key vault references.

Add a Key Vault Access Policy for your App Service Identity

Next we need to go to our Key Vault and grant the previously created identity permission to GET/READ secrets.

First go to the Access polices page in your Key Vault and click ‘+ Add Access Policy‘ as shown below…

Key Vault Access Policies page

… then add the policy as shown below. Connection Strings are stored as secrets and we only need permissions to read them so we will only set one permission.

In the Select principal field, select your app (the easiest way is to just paste in the Object ID from the previous step).

Adding a key Vault Access Policy

After you add the policy you will be brought back to the main Access policies page and should see your App Service listed under ‘Current Access Policies’.

Add the connection string as a secret to your Key Vault

Now we move onto actually adding the connection string to the key vault. You’ve probably already done this so skip ahead if you have.

First add the connection string as shown below. The Value of the secret will be your connection string.

add-a-secret

Then after it’s created navigate back into the current version of your secret (there will only be one as you’ve just created it) and copy the URL reference. We will use this in the next step.

Get secret reference

Add a reference to the secret from App Service connection strings configuration

The final step is to add a new connection string from the Configuration page of our App Service. Connection strings which are defined here will override those of the same name defined in the appsettings.json file.

When using a key vault reference the syntax is:

@Microsoft.KeyVault(SecretUri=https://KEYVAULTNAME.vault.azure.net/secrets/SECRETNAME/SECRETVERSION)

The secret version is optional. If you do not include it Azure will use the current version. Remember… every time you change the value of a secret Azure creates a new version.

When on the App Service -> Settings -> Configuration screen click ‘New connection string‘ and a popup similar to below will show. In this example I’m referencing a specific version of the secret created above (DavidsDB) and I’m setting the name of the connection string to be AdventureWorks as this is what my app references in its Startup.cs file.

After you’ve added the connection string you should see it listed in the connection strings section…

Connection String listing

If everything is in order from an access point of view you’ll see a green checkbox in the source column. If you see a red cross, revisit the Key Vault Access Policy step above.

Finally… test the new connection

Now visit your App Service to test the new connection… if your appsettings.json connection string and your key vault connection string are the same put a dummy edit into your key vault one to a non existing server to be sure your app is reading from the vault.

Leave a Reply

Your email address will not be published. Required fields are marked *