Using Managed Service Identity to Access Azure Key Vault from Azure App Service
In the previous article, I talked about using Managed Service Identity on Azure VM to access Azure Key Vault. We deployed a web application written in ASP.Net Core 2 to the VM and accessed Key Vault to get a secret for the application.
Same way, we can use Managed Service Identity in Azure App Service to access the Key Vault. In this article, we’ll look at how to use Managed Service Identity with the Azure App Service. This also applies to Azure Functions.
I have deployed the same application to an Azure App Service. You can find the application code in the following GitHub Repository.
The application makes use of 2 NuGet packages to authenticate and retrieve secrets from the Azure Key Vault.
- Azure.KeyVault – Allows you to interact with the Azure Key Vault
- Azure.Services.AppAuthentication (Pre-Release) – Allows the app to authenticate using the Azure AD.
Note: The Microsoft.Azure.Services.AppAuthentication NuGet package is still in pre-release
Create Managed Service Identity for App Service
In the Managed Service Identity section under the Settings section of the App Service Instance, You can see the option to Register with Azure Active Directory.
Turn the value on and click on Save button to create the Managed Service Identity.
Add Access Policy for App Service in Azure Key Vault
Next, you need to add the access policy in to the Azure Key Vault. Without this the App Service will not be able to access the Key Vault. To do that, navigate to the Access Policies under the Settings section of the Key Vault where your secrets for the Application is stored.
There click on Add New button to add a new Access Policy. Then click on Select Principle and search for the web app name you defined for the App Service Instance and select it from the list. Then set the Secret permissions to Get. (Since we are only getting secrets from the Key Vault, if you want more permissions for the Application, you can set them.). Then click on Ok and Save the newly created access policy.
Now if you navigate to the web application and go to the About page, you can see the random value taken from the Azure Key Vault displayed on the About page.
How This Works Under the Hood
The Microsoft.Azure.Services.AppAuthentication library handles obtaining the token to access the Key Vault. When the Manages Service Identity is created, it will inject 2 environment variables in to the App Service hosting environment.
- MSI_ENDPOINT – Local endpoint that the library issues a GET request
- MSI_SECRET – The secret value that is sent with the above get request.
The successful response contains the Access Token. The library takes care of retrieving it and feeding it in to the KeyVaultClient in order to access the secret in the subsequent code.
I have made a small modification to the code to see the MSI_ENDPOINT and MSI_SECRET. I have added the following lines to the About() controller action
// Get Environment Variables related to MSI
ViewBag.MsiSecret = Environment.GetEnvironmentVariable("MSI_SECRET");
ViewBag.MsiEndpoint = Environment.GetEnvironmentVariable("MSI_ENDPOINT");And updated the About.cshtml page with the following lines.
<p class="lead">MSI_SECRET: <em>@ViewData["MsiSecret"]</em></p>
<p class="lead">MSI_ENDPOINT: <em>@ViewData["MsiEndpoint"]</em></p>Now In the about page, you can see the values for the MSI Endpoint and the Secret it uses for authentication.
Running the Application Locally.
Yes, we have created a Managed Service Identity for the Virtual Machine that the application is running on. But for local development purposes we don’t have a MSI created. IF you try to run the application now on your local development environment, it will throw an exception trying to access the Key Vault, since the application can not authenticate in to the Azure Key Vault.
To run the application locally, you can use Azure CLI 2.0. Install Azure CLI 2.0 and login to your azure subscription using
az loginThen make sure you are in the correct subscription if you have multiple subscriptions, you have to be in the same subscription where the Key Vault you are trying to access is. If not use the following command to set the correct subscription.
az account set --subscription "your-subscription-id"Make sure to keep the command line window running and then run the web application locally. You should now be able to access the Key Vault and retrieve the secrets.
Other Ways of Creating the Managed Service Identity for App Service
There are couple of ways of creating the Managed Service Identity for the App Service. We used the Azure Portal. But you can use;
Azure Resource Manager Templates
You can use ARM templates to add the MSI, by adding the following property to the app service resource definition in the Template.
"identity": {
"type": "SystemAssigned"
}Azure CLI 2.0
You can use Azure CLI 2.0.31 or later version to create the MSI for the App Service, simply execute the following commands to attach a MSI to an already existing App Service Instance.
# Login to Azure Subscription
az login
# Attach the MSI to the App Service. Replace the values between < >
az webapp identity assign --name <app-name> --resource-group <resource-group-name>Limitations
The Managed Service Identity for App Service and Azure Functions are still in preview. So, App Services on Linux and Web Apps for Container are not supported yet.
Kasun Kodagoda
Kasun Kodagoda is a Senior Technical Lead at 99X working on the Microsoft stack. He is an Azure Cloud and Azure DevOps enthusiasts and contributes to few Open Source projects on GitHub, mainly focusing on Azure Pipelines Extensions. OWASP ZAP Scan, Slack Notification task are some of his popular Azure DevOps extension. Kasun is also a blogger, occasional gamer and creates YouTube videos on Azure, Azure DevOps and Gaming and loves creating Architectural and Interior Design visualizations when he finds time.
