In last article, we have created a .NET Core web application and accessed the secrets stored in Azure key vault. We have seen how how to allow Visual studio to access the key vault.
In this article, let’s publish the web application as Azure app service. Then the app service will need managed identity to authenticate itself with the Azure key vault. So, we will create the system-assigned managed identity for Azure app service and will add access policy to allow it access on key vault.
Publish Web App
Create a .NET Core web application (MVC) using Visual studio. Add configurations so that it can read from the Azure key vault. Refer this article to know the detailed steps.
Make sure that the storage account details are not available in appsettings.json.
Access the Web App
Create an Azure App Service instance and then publish the web app from the visual studio. Refer this article to know the detailed steps.
So, what you have is a .NET Core MVC Web application which is published as Azure app service.
If you try to access the Azure app service you published just now using URL <a rel="noreferrer noopener" href="https://<https://<<app-service>>.azurewebsites.net , then you will get an error below:
This is happening because we have registered the key vault provider while creating IHostBuilder instance in Program.cs.
This code tries to reach out to key vault and tries to get all the configurations from there. The key vault is not able to authenticate identity of the app service and the application crashes in startup resulting in above output.
Create Managed Identity
In order to authenticate the Azure web app with key vault, let’s use system-assigned managed identity.
Login to Azure portal and then go to the app service which was created for this demo purpose. Then select the Identity from left navigation.
Under system-assigned tab, toggle the Status field on as shown below. This should show a GUID and button below. Then click the Save button to save the newly generated identity.
So, we just have asked system to generate a managed identity for our app service.
Using Azure CLI
You can create system-assigned managed identity for the app service using below command:
Key Vault Access Policy
The managed identity has been generated but it has not been granted access on key vault yet. So, in Azure portal, go to the key vault which is supposed to be accessed by the app service.
Under Settings, select access policies option from left navigation and then click on Add access policy. On the new panel, make sure to select two permissions – Get and List – for key permissions, secret permissions and certificate permissions inputs.
Then click on Select principal which should open a new panel on right side. On this new panel, search for the name of the app service which you have created for this demo. Select app service and then click on Select button.
Then click on Add button to add the access policy. This will close add policy panel. Then click on Save button on Access policies panel.
Using Azure CLI
Below command can be used to set the access policy on the key vault. Please note that PrincipalId input is the output of the command which generated managed identity on Azure app service.
Now, all the configurations have been setup to allow app service to access key vault.
Run and Verify
If the app service is accessed again, it should show the upload file page as shown below. If file is uploaded, application will be able to read the storage account name, blob container and key from key vault and so the file will be uploaded to blob container.
I hope this article have provided you some information on how to use system-assigned managed identities. Let me know your thoughts.
