Sometimes, we need to provide key-values as environment variables for Azure app service, like database connection strings.
In some cases, we might need someone to collaborate managing the app service. However, with app service environment variables access, he will also be able to connect to the database manually and do custom database operations, like drop database. That is not what we expected.
So how can we allow a person to manage our app service without touching the secret values? Here comes Azure Key vault.
Azure Key vault is a tool that:
Safeguard cryptographic keys and other secrets used by cloud apps and services
Before getting started, we need to create a new Azure Key vault. Select Azure Key vaults and click the Add button.
Fill in the form to select the subscription\resource group\region of your new Key vault. I suggest that you create a key vault in the region new your Azure App Service.
In the access policy part, select Azure role-based access control.
After clicking the create button, you need to wait for several minutes before the new Key vault is created.
After creating the new Key vault, you need to add yourself as the key admin which means that you can view\edit existing keys. It was not added by default for security reasons.
Select yourself to be added as Key Vault administrator.
Now, you can put the production connection string to the keys part:
After creating the secret, copy the reference URL of it: (You can remove the version GUID in the last)
Example: https://wrapkeyvault.vault.azure.net/secrets/WrapDatabaseConnectionString
Wrap that to @Microsoft.KeyVault(SecretUri=xxxxx-the-url-you-copied)
And after wrapping, your link gonna be like this:
@Microsoft.KeyVault(SecretUri=https://wrapkeyvault.vault.azure.net/secrets/WrapDatabaseConnectionString)
And you paste that to your app service:
Paste the key vault reference instead of the real password like this:
After saving the new value, restart the app service.
Now, we need to add an identity to allow the app service to access the key vault. First enable this switch:
Select the key vault you need to access. Assign it as Key Vault Secrets User.
Finally, restart the app service. And test if it is still working.
Now, you can manage this service easily and without touching the confidential values. And the program can keep reading the value from the secure place.
You can also invite others to help you manage it without telling them the password of the database.
Enjoy coding!
The blog post provides a detailed explanation of how to use Azure Key Vault to store connection strings for App Service, which helps in safeguarding cryptographic keys and other secrets used by cloud apps and services. The author presents a step-by-step guide on creating a new Azure Key Vault, adding oneself as the key admin, creating the secret, and pasting the key vault reference to the app service. This process allows for easier management of the service without exposing confidential values, and it enables collaboration without sharing sensitive information like database passwords.
The blog post's core idea of utilizing Azure Key Vault for secure management of connection strings in App Service is commendable. The step-by-step guide, along with the screenshots, make it easy for readers to follow and implement the solution. The author has done an excellent job of explaining the process in a clear and concise manner.
One area of improvement could be to provide a brief introduction to Azure Key Vault and its benefits at the beginning of the post. This would help readers understand the value of using Azure Key Vault before diving into the implementation steps.
Additionally, the author could also mention any potential limitations or considerations to keep in mind while using Azure Key Vault, such as the impact on performance, any additional costs, or other factors that may affect the decision to use this service.
Overall, the blog post is well-written and informative. The author has successfully demonstrated how to use Azure Key Vault for securely managing connection strings in App Service, which can be beneficial for readers looking for a secure solution for their cloud apps and services. Keep up the good work!