What is Managed Identity?

• Azure Active Directory managed identities simplify secrets management for your cloud application
• Details: Azure AD managed identity for Azure resources

Using managed identity to access KeyVault secret

Scenario: A WebApp will access KeyVault and get database connection string from KeyVault secret using managed identity

Prerequisites:

• Create Azure KeyVault and put Secret
• Create App Service plan and App Service

Steps:

• Activate system assigned managed identity in App service
  • Go to resource gorup: https://portal.azure.com/#blade/HubsExtension/BrowseResourceGroups
  • Select resource group > Select App Service
  • Settings > Identity > System assigned
  • Status: On
  • Once system assigned managed identity is enabled:
    • App service will be registered to Azure AD
    • Unique Object ID will assigned to app service by Azure AD
    • Other Azure resources (i.e. Azure KeyVault) can set policy to allow App service (using that Object ID)
• Add policy to KeyVault to allow App Service to access secrets
  • Go to resource gorup: https://portal.azure.com/#blade/HubsExtension/BrowseResourceGroups
  • Select resource group > Select KeyVault
  • Settings > Access policy > ‘+ Add access policy’
  • Secret permissions
    • Get
    • List
  • Select principal > Search > select
  • Add > Save
• Go to KeyVault and Copy Secret URI
• Added an entry in Application settings of App service for DB connection string
  • App settings key: DBConnectionString
  • App settings value: @Microsoft.KeyVault({referenceString})
    • Example: @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)
    • referenceString syntax : https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references#reference-syntax

Links

• https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet
• https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references