Azure App Service secret storage in Azure Key Vault

Today I'm going to show you how to store Azure App Service configuration secrets in Azure Key Vault. In this example, I'm going to use a Plataforma DNN Azure App Service-based website using SQL database, which stores the connection string of the SQL database in Azure Key Vault. I will not change the application code base to access Azure Key Vault in any way. We will leverage App Service's Managed Identity feature to automatically retrieve Secrets from Key Vault.

Aprovisionar Azure Key Vault

1. Aprovisionar Azure Key Vault

   

2. For this demonstration, we will change the permission model to the new Azure role-based access control (RBAC). Currently in preview.

   

3. Depending on your implementation, change the network as you like. For this demonstration, we will leave it as a public endpoint to match the App Service settings.

   

4. Click on the Review + To create button to start deployment

5. Once created, add yourself to the function “Key Vault Administrator (preview version)” through Access Control (IAM). Now you can start managing secrets.

   

Add connection string to Key Vault secrets

1. Add a new secret to Key Vault

   

2. Specify the type secret “Manual”, give it a name and set the value to the current SQL Database connection string stored in the web application.config

   

3. Click Create. Once created, click on the secret to see the details of the secret and then click on the current version again

4. Next to the secret identifier, click the Copy to Clipboard button

   

Add the secret identifier reference to the Azure App Service configuration

1. Open App Service settings and add a new Connection String setting
2. Enter the name of the connection string (“SiteSqlServer” for the DNN platform) and set the value “@ Microsoft.KeyVault (SecretUri = VALUE_FROM_CLIPBOARD)”, where VALUE_FROM_CLIPBOARD is that of the step 4 from the previous section.

3. Click Save to save the application settings.

   

Allow App Service to Access Key Vault

1. In App Service again, click Identity to enable system assigned identity.

2. Click save after activating “Activated” the state

   

3. Click the button “Role assignments” and then click “Add role assignment (preview)”

   

4. In assigning roles, choose scope “Key Vault”, subscribe the subscription where you created the Key Vault in the previous steps and the name of the Key Vault resource. For the role, just select “Key Vault Secrets User (preview)”

   

5. Finally, go to the web.config file of your DNN platform website and delete the content of the connection string.

   

6. Visit the website and verify that it loads correctly. Now, the connection string is stored securely in Azure Key Vault and is no longer stored in the file system.

Known issues

1. ERROR: I get an error “Keyword not supported: ‘@ Microsoft.keyvault (secrets'”. I have experienced that RBAC permissions can take a minute or two to apply, so try after a few minutes. Also try restarting the App thought in the App Service portal, so nothing is cached.

   

2. When checking DNN log4net logs, you see many errors from a process trying to initialize a database connection with an invalid connection string during the DNN initialization process. This error is currently occurring in versions 9.7.2 or earlier with a pending pull request to fix it https://github.com/dnnsoftware/Dnn.Platform/issues/4227
3. IMPORTANT: if you plan to use the backup feature of Azure App Service, don't use this method to store SQL database connection strings in Azure Key Vault, as they are not supported by the App Service backup function. https://stackoverflow.com/questions/56101504/backingup-azure-webapp-when-connection-string-is-injected-through-keyvault

I hope this helps!