Azure Key Vault with App Service connection error - azure

I'm trying to set up a new app slot for my azure website.
Here is my error:
I've looked at a few articles online and then made sure the app slot was using System assigned identities.
But I still get the above error?
What am I missing?
Here is what it looks like on the Configuration section

Make sure you have done the steps below, then it should work.
1.After enabling the system-assigned identity(MSI) of your slot, navigate to your keyvault in the portal -> Access policies -> add the MSI of your slot to the access policy with the correct secret permission, just search for your web app name, the MSI of the slot has the format as webappname/slots/slotname, details here.
2.If you use the SecretUri, the format of the connection string in your slot should be like below, double-check it.
#Microsoft.KeyVault(SecretUri=https://joykeyvault123.vault.azure.net/secrets/encryptionKey/492c7788a9da421c8b9752ef18b53f5d)
You could get the SecretUri in your secret in the portal.
It works fine on my side.

Related

How can i use Key Vault for connection strings in Azure App Service?

I have followed the following for How to reference Key Vault connection strings from an Azure App Service.
https://davecallan.com/how-to-reference-key-vault-connection-strings-from-an-azure-app-
service/
The connection string has a name of "sqlconnection" in the App Service Configuration. I then deleted this entry from the Configuration Json file and restarted the Web app.
I then try to connect but it gives a database error with no details.
Any ideas on this ?
I tried to reproduce the same in my environment like below:
I created a key vault with Azure role-based access control (RBAC) like below:
Make sure to add Key Vault Administrator role in Access control like below:
Generate a key vault secret under setting. While generating secret of type as Manual name and set the value to the current SQL Database connection string stored in the Application web.config
Try to use Secret value connection string of your sql database like below:
Then you can able to see Secret Identifier like below:
In your web app -> under setting click configuration -> click new connection string
Type the name of the connection string and set the value #Microsoft.KeyVault(SecretUri=VALUE), where the VALUE
In Identity under setting -> make sure to add system assigned status as on like below:
Click on the "Role Assignments" button and then Add keyvault secrets user role like below:
As you are facing database error with no details you can check the Log4net errors under Portals_default\Logs.
Reference:
Connection strings and app settings not working properly on Azure App Service · Issue #4227 · dnnsoftware/Dnn.Platform · GitHub

InvalidSyntax error when using Azure KeyVault References

I am having an issue where I add an Azure KeyVault information as part of my Azure function configuration, but it's giving me an InvalidSyntax error.
In my Azure Function, I go to the Configuration section, in the application tab I click "New application setting". In the Name I added a name like: SomeSecret.. and in the Value I added the path to my azure keyvault, so it looks like this:
#Microsoft.KeyVault(SecretUri=https://somename.azure.net/secrets/mysecretname/ec96f02080254f109c51a1f14cdb1931)
I also tried with this
#Microsoft.KeyVault(SecretUri="https://somename.azure.net/secrets/mysecretname/ec96f02080254f109c51a1f14cdb1931")
I tried with the other syntax, like:
#Microsoft.KeyVault(VaultName=somename;SecretName=mysecretname;SecretVersion=ec96f02080254f109c51a1f14cdb1931)
None of them is working. I made sure that for the Azure function identity, it's added to the KeyVault in Access Policies and it has all required access.
Any idea?
#Microsoft.KeyVault(SecretUri=) is the right way.
So the first format should be no problems. Try to give full access policy and try again.

Can docker on Azure Linux App Service authenticate with the ACR without us specifying the password in the app settings?

We deploy a Linux App Service to Azure using terraform. The relevant configuration code is:
resource "azurerm_app_service" "webapp" {
app_settings = {
DOCKER_REGISTRY_SERVER_URL = "https://${local.ctx.AcrName}.azurecr.io"
DOCKER_REGISTRY_SERVER_USERNAME = data.azurerm_key_vault_secret.acr_admin_user.value
DOCKER_REGISTRY_SERVER_PASSWORD = data.azurerm_key_vault_secret.acr_admin_password.value
...
}
...
}
The problem is that terraform does not consider app_settings a secret and so it outputs in the clear the DOCKER_REGISTRY_SERVER_PASSWORD value in the Azure DevOps output (I obfuscated the actual values):
So, I am wondering - can docker running on an Azure Linux App Service host authenticate with the respective ACR without us having to pass the password in a way that makes it so obvious to every one who can inspect the pipeline output?
The following article seems relevant in general - https://docs.docker.com/engine/reference/commandline/login, but it is unclear how we can apply it in my context, if at all.
Also, according to https://feedback.azure.com/forums/169385-web-apps/suggestions/36145444-web-app-for-containers-acr-access-requires-admin#%7Btoggle_previous_statuses%7D Microsoft has started working on something relevant, but looks like this is still a work in progress (almost 5 months).
I'm afraid you must set the environment variables about DOCKER_REGISTRY_* to pull the images from the ACR, it's the only way to do that designed by Azure. But for the sensitive info about the password, it also provides a way to hide it. You can use the Key Vault to store the password in secret, and then get the password from the secret. Take a look at the document Use Key Vault references for App Service. So you can change the app_setting for the password like this:
DOCKER_REGISTRY_SERVER_PASSWORD = "#Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)"
Or
DOCKER_REGISTRY_SERVER_PASSWORD = "#Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret;SecretVersion=ec96f02080254f109c51a1f14cdb1931)"
Then it just shows the reference of the Key Vault, not the exact password.
Unfortunately Azure Web Apps do not support interacting with ACR using a managed identity, you must pass those Environment Variables to the App Service.
Terraform does not currently support applying a "sensitive" flag to arbitrary values. You can define outputs as sensitive, but it will not help with values you want to hide during the plan phase.
I would suggest checking out https://github.com/cloudposse/tfmask, using the TFMASK_RESOURCES_REGEX configuration to block the output you want to hide during your pipeline. If you're averse to adding dependencies, similar effect could be achieved by piping terraform apply through grep --invert-match "DOCKER_REGISTRY" instead.
#charles-xu has a good answer as well if you want to set up mappings between keyvault and your web app then push your tokens into kv secrets.
Now it's possible to use managed identity to pull images from ACR.
You may do the next:
go to your Container Registry page in the Azure portal
Open the tab Access Control (IAM)
The open Role assignments tab
Add role assignment AcrPull to your App Service or Function App
In the Deployment Center of your App Service choose Managed Identity for the Authentication setting.
Or you may use CLI by following the steps from the official documentation (link below):
https://learn.microsoft.com/en-us/azure/app-service/configure-custom-container?pivots=container-linux#use-managed-identity-to-pull-image-from-azure-container-registry
After you added role assignment DOCKER_REGISTRY_SERVER_URL, DOCKER_REGISTRY_SERVER_USERNAME and DOCKER_REGISTRY_SERVER_PASSWORD settings may be removed from App Service's App Settings.

Deploying an Azure Web App through Jenkins

I am trying to deploy an Azure Web App through a Jenkins scripted pipeline using the Azure App Service Plugin. This is my deploy-command (GUIDs have been changed):
azureWebAppPublish azureCredentialsId: 'a0774bb6-e471-47s9-92dc-5aa7b4t683e8', resourceGroup: 'my-demo-app', appName: 'MY-DEMO-APP', filePath: 'public/*, package.json'
When running the script I get the following error:
The client '03a1b3f9-a6fb-48bd-b016-4e37ec712f14' with object id '03a1b3f9-a6fb-48bd-b016-4e37ec712f14' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/81fd39sw-3d28-454c-bc78-abag45r5d4d4/resourceGroups/my-demo-app/providers/Microsoft.Web/sites/MY-DEMO-APP' or the scope is invalid. If access was recently granted, please refresh your credentials.
The strange thing is, the ID of this "client" that's missing authorization does not appear anywhere in the build plan. It's neither the ID or a part of the service principal nor the ID of the Container Registry credentials. It also doesn't appear on the machine that executes the build (I checked both the GUID of the mother board and the windows installation). Also the term client is not used for any part of the build plan, so I don't really know what's the actual issue in this case.
Please check out this tutorial that explains how to Set up continuous integration and deployment to Azure App Service with Jenkins and One of the best method to deploy to Azure Web App (Windows) from Jenkins : https://learn.microsoft.com/en-us/azure/jenkins/java-deploy-webapp-tutorial
To find the Azure AD user with the object id '03a1b3f9-a6fb-48bd-b016-4e37ec712f14', go to Azure portal, open Cloud Shell and run
Get-AzureADUser -ObjectId '03a1b3f9-a6fb-48bd-b016-4e37ec712f14'
To diagnose or troubleshoot the issue, go to Azure Portal -> Resource Groups -> my-demo-app -> MY-DEMO-APP -> Access control (IAM) -> Role assignments -> and then search for above found AD User and check if that user has atleast read permission.
Hope this helps!

Keyword not supported: #microsoft.keyvault

I was trying to get the connection string from the azure key vault for azure functions. These are the steps I did,
Created a managed identity(System assigned) in the azure functions
Create a secret in an azure key vault
Add access policies to give permission to the azure function app
Added an entry in the app settings for connection string where the value was #Microsoft.KeyVault(SecretUri=SECRETURLOFKEYVAULT)
But when I run the azure function I am getting below error,
"Keyword not supported: #microsoft.keyvault(secreturi....."
This is how I have enabled managed identity,
And my access policy looks like below,
Any help would be much appreciated
I ran into a similar problem by following the tutorial. My remedy was a restart of the function app. Saving of the app setting was not enough for the Function App to start using the Key Vault secret provider correctly.
According to the steps you provided, it have no problem to work well. Here is the tutorial about get key vault secrets in Azure Function you could refer to.
Note: Add access policies to the azure function app with the Get permission on secrets and that was enough.
Also, here is a similar issue that get same error like you which is due to IP Address restriction blocking it.
This issue occurred while testing on local. It was resolved after doing an az login.

Resources