Sometimes, we need to provide key-values as environment variables for Azure app service, like database connection strings.
In some cases, we might need someone to collaborate managing the app service. However, with app service environment variables access, he will also be able to connect to the database manually and do custom database operations, like drop database. That is not what we expected.
So how can we allow a person to manage our app service without touching the secret values? Here comes Azure Key vault.
Azure Key vault is a tool that:
Safeguard cryptographic keys and other secrets used by cloud apps and services
Before getting started, we need to create a new Azure Key vault. Select Azure Key vaults and click the Add button.
Fill in the form to select the subscription\resource group\region of your new Key vault. I suggest that you create a key vault in the region new your Azure App Service.
In the access policy part, select Azure role-based access control.
After clicking the create button, you need to wait for several minutes before the new Key vault is created.
After creating the new Key vault, you need to add yourself as the key admin which means that you can view\edit existing keys. It was not added by default for security reasons.
Select yourself to be added as Key Vault administrator.
Now, you can put the production connection string to the keys part:
After creating the secret, copy the reference URL of it: (You can remove the version GUID in the last)
Wrap that to @Microsoft.KeyVault(SecretUri=xxxxx-the-url-you-copied)
And after wrapping, your link gonna be like this:
And you paste that to your app service:
Paste the key vault reference instead of the real password like this:
After saving the new value, restart the app service.
Now, we need to add an identity to allow the app service to access the key vault. First enable this switch:
Select the key vault you need to access. Assign it as Key Vault Secrets User.
Finally, restart the app service. And test if it is still working.
Now, you can manage this service easily and without touching the confidential values. And the program can keep reading the value from the secure place.
You can also invite others to help you manage it without telling them the password of the database.