Azure web apps,managed identities and keyvault – Note from the field

Hello everyone,

This will be a short blog post of something I noticed in Azure when using managed identities, Azure keyvault and web apps.

The scenario was the following: we had a few web apps running in Azure which had to authenticate with an API gateway using client certificates.

In order to facilitate this we decided to upload the certificates to an Azure Keyvault which we created specifically for that application.
The web app will then be registered as a managed system identity in Azure AD, and will be given permission on that specific Keyvault.

This has a few advantages:

  • No credentials have to be exchanged, the web app itself is the identity which is used as authentication with keyvault.
  • Certificates are centrally managed and rotated in keyvault
  • There is an auditing trail on the use of these certificates
  • This scenario can also be used in the context of storing secrets, such as connection strings, service accounts etc.

I am not going to cover the application point of view of this, but to put it simply, you will have to add some nuget packages to your solution to be able to use managed identities and keyvault:

Enabling the managed identity on the web app can be done here:

2019-03-08 13_33_58-Clipboard

You can then select this identity in your access policy of keyvault:

2019-03-08 13_45_24-Clipboard.png

Here’s the first thing you have to pay attention to: you would think that getting the certificate from the keyvault should be sufficient permission wise.
However, if you require the private key from the certificate as well, you will also need get permissions on secrets as well.
See screenshot:


The second thing you have to pay attention to is slots on web apps. These have to registered separately in Azure AD. So if you have any slots, those have to be registered as managed system identities as well. And in addition to that, you will also have to give them permissions on keyvault.
In order to simplify administration, I have created security groups for this in Azure AD, which contains the managed identities that require access to the Keyvault.

So just to recap the caveats:

  • Do not forget to register slots of your web apps as managed identities
  • Do not forget to also give get permissions on secrets as well to be able to retrieve the private key.

That’s all for now, have a nice day!




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s