Using User Assigned Managed Identity to Access Azure Key Vault from Azure App Service
In the last article we talked about using System Assigned Managed Identity on Azure App Service to Access Azure Key Vault. In this article we’ll see how we can use User-Assigned Managed Identities. The source code we are using is exactly the same. So, I will not go into details about the implementation, that information is available in the previous article which I have linked above. So, in this article we’ll only focus on enabling User-Assigned Managed Identity on Azure App Service and accessing Key Vault.
Create the User-Assigned Managed Identity
Unlike System Assigned Managed Identities, User-Assigned identities are created separately. This creation experience is exactly same as creating any other Azure Resource. We’ll look at it is done.
Go to the resource group where you want to put the User Assigned Managed Identity in, and the click on the Add button to add a new resource. Search for Managed Identity and you should be presented with a User-Assigned Managed Identity option.
Click on that you will be taken to User-Assigned Managed Identity creation blade. Click on the Create button on the blade and you will be taken to a new blade to add some information about the Managed Identity.
You need to enter a Name for the User Assigned managed identity, Select the Subscription, Resource Group and Location for the managed identity and click on Create.
Once the User-Assigned Managed Identity is created, you need to copy the Client ID for that Identity, go to the newly created Managed Identity and the Client ID should be available on the Overview page.
Authorize Access to Azure Key Vault for the User Assigned Managed Identity
Just like we did in the previous article, we need to authorize access to Azure Key Vault using Access Policies. Go to the Access Policies in the Key Vault instance and click on Add, Search for the User Assigned Managed Identity you created in the previous step and give Secret Get and List permissions and Save the changes.
Associate the User Assigned Managed Identity with Azure App Service Instance
Since now you have the managed identity created now its time to add the User-Assigned identity we created to the App Service instance. Go to the Settings > Identity and switch to the User-Assigned (Preview) tab. Then click on Add button and select the User Assigned Managed Identity we created in the earlier step.
If you check your app now, even if we added the Managed Identity the app is still not retrieving the secrets from the Key Vault, it’s still showing an exception.
This is because we need to add an Environment Variable to point to the Managed Identity we created. Since we can add multiple user-assigned managed identities to an App Service instance, we need to tell the app which one to use. We do this by setting the following app Setting. AzureServicesAuthConnectionString with the following value
RunAs=App;AppId={CLIENT_ID_OF_MANAGED_IDENTITY}
Once set, the Configuration section should look something like this.
And now you can see the application is able to access the Azure Key Vault and fetch the secret value.
Summary
In this article we discussed how to use Microsoft.Azure.Services.AppAuthentication NuGet package to use Managed Identities to get access token to access Azure Key Vault, and then we enabled User Assigned managed identity on Azure App Service and used that identity to access Azure Key Vault.
Kasun Kodagoda
Kasun Kodagoda is a Senior Technical Lead at 99X working on the Microsoft stack. He is an Azure Cloud and Azure DevOps enthusiasts and contributes to few Open Source projects on GitHub, mainly focusing on Azure Pipelines Extensions. OWASP ZAP Scan, Slack Notification task are some of his popular Azure DevOps extension. Kasun is also a blogger, occasional gamer and creates YouTube videos on Azure, Azure DevOps and Gaming and loves creating Architectural and Interior Design visualizations when he finds time.
You Might Also Like
← Previous Post
