"Key vault reference error" in azure web app configuration setting

Question

I have a private certificate that was generated by azure for a web app for linux containers. I want to pass this value to my .net core app via the web app configuration settings in the the azure portal. This is part of a pipeline CI-CD process and the ability to specify Identity Server key values in app configuration helps to keep those values out of the source code.

PROBLEM

I keep getting the following error by the setting

❌Key vault Reference

also shown here:

I am trying to use the secret value in the format suggested by the microsoft docs here I have tried the following formats:

@Microsoft.KeyVault(https://myvault.vault.azure.net/secrets/myCertName/versionGUID)

@Microsoft.KeyVault(VaultName=myvault;SecretName=myCertName;SecretVersion=versionGUID)

ALSO, I have added the web app to the access policies of the azure key vault

EDIT 1:

There was a format error and I had the wrong secret name so the following format worked:

@Microsoft.KeyVault(https://myvault.vault.azure.net/secrets/myCertName/versionGUID)

However I ran into a new error:

Key Vault reference was not able to be resolved because site Managed Identity not enabled MSINotEnabled

SO I went to the identity tab of the web app and turned on managed identity for the app.

I am now stuck with the following error:

Key Vault reference was not able to be resolved because site was denied access to Key Vault reference's vault.

I found multiple sites that said if you just deleted the setting, saved, and then add the setting back it should resolve. This DID NOT work for me.

I also tried granting "Full access" to the web app in the azure key vault access policies.

Answer 1

Firstly, the reference format @Microsoft.KeyVault(https://myvault.vault.azure.net/secrets/myCertName/versionGUID) is wrong, it should be @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/myCertName/versionGUID).

Secondly, I don't think you granted the permission for the MSI of your web app correctly.

From the description in your original post:

ALSO, I have added the web app to the access policies of the azure key vault

Then in your EDIT 1:

SO I went to the identity tab of the web app and turned on managed identity for the app.

Obviously the order is wrong, if you didn't enable the MSI of the app before, how you add it to the access policy? I suppose you may added the wrong one.

So in your case, make sure you have added the MSI of the web app to the access policy correctly.

1.Navigate to the web app -> Identity -> copy the Object ID(also make sure you are using system-assigned MSI, the user-assigned MSI is not supported in keyvault reference feature)

2.Then in the Access policies of the keyvault -> Add Access Policy -> seacrh for the Object ID in step 1 and add it with the Get Secret permission like below -> select and save.

3.Navigate to the app and check it, it works fine.

Answer 2

Your app should be able to reach the Key Vault to resolve a reference successfully. If everything else, e.g., access policies and syntax, appears to be in order and yet your references don't resolve, try checking if your Key Vault has any network restriction.

If you see the warning related to the 'network access control' on your Vault's Access policies settings page, you need to allow your app's IP through the Key Vault firewall.

Add your app’s IP (available under Custom domains) to your Key Vault’s firewall (under Networking).

Reference: https://medium.com/geekculture/troubleshooting-azure-key-vault-references-in-azure-function-apps-b228c1216f63

Answer 3

If it is a User-Managed Identity, we need to do a patch to make this working

userAssignedIdentityResourceId=$(az identity show -g MyResourceGroupName -n MyUserAssignedIdentityName --query id -o tsv)
appResourceId=$(az webapp show -g MyResourceGroupName -n MyAppName --query id -o tsv)
az rest --method PATCH --uri "${appResourceId}?api-version=2021-01-01" --body "{'properties':{'keyVaultReferenceIdentity':'${userAssignedIdentityResourceId}'}}"

Link for the doc

Answer 4

I am facing the same issue while creating resources through terraform.

I have added a key vault access policy for azure function app as well and the issue is gone.

The below part is only for those who are doing terraform.

My config looked like this,

resource "azurerm_key_vault_access_policy" "resource_group_manager" { 
    key_vault_id = module.key_vault_info.key_vault_id 
    tenant_id = data.azurerm_client_config.current.tenant_id 
    object_id = data.azuread_group.manager.id 
    key_permissions = [ "Get", "List", "Create", "Update", "Delete", ] 
    secret_permissions = [ "Get", "List", "Set", "Delete", ] 
}

I have added a key vault access policy only for the azure resource group but not for azure function.

To resolve that,

I have added a key vault access policy for azure function app as well

like below,

resource "azurerm_key_vault_access_policy" "resource_group_manager" { 
    key_vault_id = module.key_vault_info.key_vault_id 
    tenant_id = data.azurerm_client_config.current.tenant_id 
    object_id = data.azuread_group.manager.id 
    key_permissions = [ "Get", "List", "Create", "Update", "Delete", ] 
    secret_permissions = [ "Get", "List", "Set", "Delete", ] 
}

resource "azurerm_key_vault_access_policy" "this" {
    key_vault_id = module.key_vault_info.key_vault_id 
    tenant_id = data.azurerm_client_config.current.tenant_id 
    object_id = azurerm_function_app.this.identity.0.principal_id 
    key_permissions = [ "Get", "List", "Create", "Update", "Delete", ] 
    secret_permissions = [ "Get", "List", "Set", "Delete", ] 
}