Azure App Service secret storage in Azure Key Vault

Hoy voy a mostrar cómo almacenar los secretos de configuración de Azure App ServiceAzure App Service is a Microsoft platform that allows you to develop and host web and mobile applications in the cloud. Offers support for various programming languages, as .NET, Java, PHP and Python. With features like autoscaling, Continuous integration and advanced security, Azure App Service makes it easy for developers to build robust and scalable applications without worrying about the underlying infrastructure.... in Azure Key VaultAzure Key Vault es un servicio de Microsoft Azure diseñado para almacenar y gestionar secretos, claves de cifrado y certificados de manera segura. Permite a las organizaciones proteger información sensible, controlando el acceso a través de políticas y autenticación. Con la integración de Azure Active Directory, facilita la gestión de identidades y permisos, garantizando que solo los usuarios autorizados puedan acceder a los datos críticos. Ideal para mejorar la seguridad.... In this example, I'm going to use a Plataforma DNN sitio web basado en Azure App Service utilizando una databaseA database is an organized set of information that allows you to store, Manage and retrieve data efficiently. Used in various applications, from enterprise systems to online platforms, Databases can be relational or non-relational. Proper design is critical to optimizing performance and ensuring information integrity, thus facilitating informed decision-making in different contexts.... SQL, which stores the connection string of the SQL database in Azure Key Vault. I will not change the application code base to access Azure Key Vault in any way. We will leverage App Service's Managed Identity feature to automatically retrieve Secrets from Key Vault.

Aprovisionar Azure Key Vault

1. Aprovisionar Azure Key Vault

   

2. For this demonstration, we will change the permission model to the new Azure role-based access control (RBAC). Currently in preview.

   

3. Depending on your implementation, change the network as you like. For this demonstration, we will leave it as a public endpoint to match the App Service settings.

   

4. Click on the Review + To create button to start deployment

5. Once created, add yourself to the function “Key Vault Administrator (preview version)” through Access Control (IAM). Now you can start managing secrets.

   

Add connection string to Key Vault secrets

1. Add a new secret to Key Vault

   

2. Specify the type secret “Manual”, give it a name and set the value to the current SQL Database connection string stored in the web application.config

   

3. Click Create. Once created, click on the secret to see the details of the secret and then click on the current version again

4. Next to the secret identifier, click the Copy to Clipboard button

   

Add the secret identifier reference to the Azure App Service configuration

1. Open App Service settings and add a new Connection String setting
2. Enter the name of the connection string (“SiteSqlServer” for the DNN platform) and set the value “@ Microsoft.KeyVault (SecretUri = VALUE_FROM_CLIPBOARD)”, where VALUE_FROM_CLIPBOARD is that of the step 4 from the previous section.

3. Click Save to save the application settings.

   

Allow App Service to Access Key Vault

1. In App Service again, click Identity to enable system assigned identity.

2. Click save after activating “Activated” the state

   

3. Click the button “Role assignments” and then click “Add role assignment (preview)”

   

4. In assigning roles, choose scope “Key Vault”, subscribe the subscription where you created the Key Vault in the previous steps and the name of the Key Vault resource. For the role, just select “Key Vault Secrets User (preview)”

   

5. Finally, go to the web.config file of your DNN platform website and delete the content of the connection string.

   

6. Visit the website and verify that it loads correctly. Now, the connection string is stored securely in Azure Key Vault and is no longer stored in the file system.

Known issues

1. ERROR: I get an error “Keyword not supported: ‘@ Microsoft.keyvault (secrets'”. I have experienced that RBAC permissions can take a minute or two to apply, so try after a few minutes. Also try restarting the App thought in the App Service portal, so nothing is cached.

   

2. When checking DNN log4net logs, you see many errors from a process trying to initialize a database connection with an invalid connection string during the DNN initialization process. This error is currently occurring in versions 9.7.2 or earlier with a pending pull request to fix it https://github.com/dnnsoftware/Dnn.Platform/issues/4227
3. IMPORTANT: if you plan to use the backup feature of Azure App Service, don't use this method to store SQL database connection strings in Azure Key Vault, as they are not supported by the App Service backup function. https://stackoverflow.com/questions/56101504/backingup-azure-webapp-when-connection-string-is-injected-through-keyvault

I hope this helps!