Azure key vault - add access policy for deployment slot

Question

I have an app with 2 slots. I have stored connection strings in the key vault. I have enabled MSI on the app and 2 slots. Also, within the vault's access policy, I have added the app (production slot). However I am not able to add the slots to the access policy. E.g. My app's name is XYZ20180706 and the slots are XYZ20180706/dev and XYZ20180706/test. But when I type in XYZ20180706/dev or XYZ20180706-dev in the service principal, it is not found.

How do I create an access policy for a deployment slot?

Just having it enabled on the main slot is not enough. I currently get access denied (to vault) if I deploy the app to the dev slot and run it.

Thanks.

score 17 · Accepted Answer · edited Jun 26 '19 at 08:14

17

AFAIK, we could access it after enabling MSI for deployment slot, you could check my test steps.

1.I have two slots, then I enable MSI of both of them in the portal.

You could check them in the Azure Active Directory -> Enterprise applications in the portal, refer to the screenshot.

Note: You should specify the Application Type option with All Applications when you are searching.

3.Add Add access policy in the azure keyvault, you could find the slots in the principle (hover your cursor over it).

edited Jun 26 '19 at 08:14

Sebastian Inones

1,561
1
19
32

answered Jul 09 '18 at 07:19

Joy Wang

39,905
3
30
54

Using the ApplicationId worked for me. Otherwise, the development slot did not show up when I appended -development at the end of the app service name. – beaudetious Nov 20 '18 at 17:51
"Managed service identity" has been renamed to "Identity". Also the slot could take some minutes before appearing in "Add access policy" section (printsceen 3). – Maxime Gélinas Jul 02 '20 at 20:17
1

Is there any way to do above steps using yaml? I'm in the same exact situation where i would like to integrate this configuration as part of CI CD pipeline instead of manually enabling the identity and add access policy for the deployment slot. – Ia1 Jul 10 '20 at 22:25

score 6 · Answer 2 · answered Aug 02 '18 at 14:25

6

On the key vault "Add access policy" section (printsceen 3 from Joy Wang), when you selecting the principal type this: YourWebAppName/slots/YourDeploymentSlotName

After you type the entire string the autocomplete check will be green and you can select the principal from the list.

answered Aug 02 '18 at 14:25

Alin

592
1
7
21

2

Thank you, this is the only way I was able to find my slot when adding a new access policy. It's amazing how poorly this feature is documented by Microsoft. – Boxiom Apr 08 '19 at 11:13

score 0 · Answer 3 · answered Aug 08 '23 at 17:29

Follow the below steps to provide keyvault access to deployment slots.

1.Select webapp(deployment slot) go to settings->identity->enable the status
2.go to keyvault -> access policies -> create-> select the required policies -> 
  in principle tab type following string <app-name>/slots/<deployment 
  slot(eg: staging)>

Hit like if you find this helpful.

Azure key vault - add access policy for deployment slot

3 Answers3

Linked