I created an environment variable in Azure App Service. However, I'm not able to pick the value from Azure while it is published.
So I added it to the appsettings.json, and it works.
My question would be, if I add an environment variable in Azure configuration settings, shall I add it in the appsettings.json as well, or is having it in the Azure environment settings enough?
When I navigate to
https://your-web-name.scm.azurewebsites.net/Env.cshtml
I can clearly see the variable is present there. Why is this not being picked up in the code? Am I doing something wrong?
appSettings["MailKitPassword"] <-- This is not being picked up, so I have to hard-code it.
In order to retrieve it you should use Environment.GetEnvironmentVariable("APPSETTING_MailKitPassword")
As Thiago Mentioned, you need to use GetEnvironmentVariable method to retrieve the AppSettings values,
so your code should be
Environment.GetEnvironmentVariable("APPSETTING_MailKitPassword")
However i would recommend you to store the passwords in Azure KeyVault.
Related
Is it possible to lookup the application name for an Azure app as it runs, i.e., get the information about that is displayed in the Azure portal? In the example below, I'd want something to tell me from within the application that I am running sitemap-prod-eastus.
I've been looking at the Azure Context object but not seeing what I need. There is an invocation ID, a name for the function, a directory - not the info in this window.
Maybe this can be done through Azure Application Insights?
I am working in Node JS.
I've not seen anything that would expose this to a function app. That said, there is one sort of workaround that you could do which would work - go to the Configuration blade for the function app, Application settings tab, and add a configuration key like function_name and set its value to the name of your app. Your app could then just read it out of configuration.
It's an extra step, but if you're doing it with something like ARM or Terraform, it's just another configuration entry with a variable you already declared to set up the app in the first place.
Answering my own question: Azure provides WEBSITE_SITE_NAME in the runtime environment that matches the name of the function app.
I am having an issue where I add an Azure KeyVault information as part of my Azure function configuration, but it's giving me an InvalidSyntax error.
In my Azure Function, I go to the Configuration section, in the application tab I click "New application setting". In the Name I added a name like: SomeSecret.. and in the Value I added the path to my azure keyvault, so it looks like this:
#Microsoft.KeyVault(SecretUri=https://somename.azure.net/secrets/mysecretname/ec96f02080254f109c51a1f14cdb1931)
I also tried with this
#Microsoft.KeyVault(SecretUri="https://somename.azure.net/secrets/mysecretname/ec96f02080254f109c51a1f14cdb1931")
I tried with the other syntax, like:
#Microsoft.KeyVault(VaultName=somename;SecretName=mysecretname;SecretVersion=ec96f02080254f109c51a1f14cdb1931)
None of them is working. I made sure that for the Azure function identity, it's added to the KeyVault in Access Policies and it has all required access.
Any idea?
#Microsoft.KeyVault(SecretUri=) is the right way.
So the first format should be no problems. Try to give full access policy and try again.
We deploy a Linux App Service to Azure using terraform. The relevant configuration code is:
resource "azurerm_app_service" "webapp" {
app_settings = {
DOCKER_REGISTRY_SERVER_URL = "https://${local.ctx.AcrName}.azurecr.io"
DOCKER_REGISTRY_SERVER_USERNAME = data.azurerm_key_vault_secret.acr_admin_user.value
DOCKER_REGISTRY_SERVER_PASSWORD = data.azurerm_key_vault_secret.acr_admin_password.value
...
}
...
}
The problem is that terraform does not consider app_settings a secret and so it outputs in the clear the DOCKER_REGISTRY_SERVER_PASSWORD value in the Azure DevOps output (I obfuscated the actual values):
So, I am wondering - can docker running on an Azure Linux App Service host authenticate with the respective ACR without us having to pass the password in a way that makes it so obvious to every one who can inspect the pipeline output?
The following article seems relevant in general - https://docs.docker.com/engine/reference/commandline/login, but it is unclear how we can apply it in my context, if at all.
Also, according to https://feedback.azure.com/forums/169385-web-apps/suggestions/36145444-web-app-for-containers-acr-access-requires-admin#%7Btoggle_previous_statuses%7D Microsoft has started working on something relevant, but looks like this is still a work in progress (almost 5 months).
I'm afraid you must set the environment variables about DOCKER_REGISTRY_* to pull the images from the ACR, it's the only way to do that designed by Azure. But for the sensitive info about the password, it also provides a way to hide it. You can use the Key Vault to store the password in secret, and then get the password from the secret. Take a look at the document Use Key Vault references for App Service. So you can change the app_setting for the password like this:
DOCKER_REGISTRY_SERVER_PASSWORD = "#Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)"
Or
DOCKER_REGISTRY_SERVER_PASSWORD = "#Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret;SecretVersion=ec96f02080254f109c51a1f14cdb1931)"
Then it just shows the reference of the Key Vault, not the exact password.
Unfortunately Azure Web Apps do not support interacting with ACR using a managed identity, you must pass those Environment Variables to the App Service.
Terraform does not currently support applying a "sensitive" flag to arbitrary values. You can define outputs as sensitive, but it will not help with values you want to hide during the plan phase.
I would suggest checking out https://github.com/cloudposse/tfmask, using the TFMASK_RESOURCES_REGEX configuration to block the output you want to hide during your pipeline. If you're averse to adding dependencies, similar effect could be achieved by piping terraform apply through grep --invert-match "DOCKER_REGISTRY" instead.
#charles-xu has a good answer as well if you want to set up mappings between keyvault and your web app then push your tokens into kv secrets.
Now it's possible to use managed identity to pull images from ACR.
You may do the next:
go to your Container Registry page in the Azure portal
Open the tab Access Control (IAM)
The open Role assignments tab
Add role assignment AcrPull to your App Service or Function App
In the Deployment Center of your App Service choose Managed Identity for the Authentication setting.
Or you may use CLI by following the steps from the official documentation (link below):
https://learn.microsoft.com/en-us/azure/app-service/configure-custom-container?pivots=container-linux#use-managed-identity-to-pull-image-from-azure-container-registry
After you added role assignment DOCKER_REGISTRY_SERVER_URL, DOCKER_REGISTRY_SERVER_USERNAME and DOCKER_REGISTRY_SERVER_PASSWORD settings may be removed from App Service's App Settings.
I have tried adding DefaultConnection from my appsettings.json file to Azure's Application Settings but Azure will not override the connection string.
Any article or blog I can find states that all I should need to do is add the connection string name as it states in the appsettings.json file and Azure should do the rest (e.g. https://tehremo.wordpress.com/2016/10/07/override-connection-strings-app-settings-in-asp-net-core-and-azure-app-service/) however when the application is published it is using my local connection string.
My Startup.cs file looks like the following:
NOTE: I am publishing using VSTS continuous delivery with "Deploy Azure App Service" release task.
I just had a similar problem (the problem was with PostgreSQL connection string type, I had to change it to custom) and now it works for me, so these are the pieces:
This is my appsettings.json file. I have a value for 'Psql' set in my appsettings.Development.json, but in the appsettings.json it is left empty.
These are the settings which are set in the Azure portal. Please note, that there are two ways to override the connection string.
This is the part of my Startup.cs file. Pay attention to the order of how the settings are applied in the Startup constructor and the way I get the connection string in the ConfigureServices method (GetConnectionString is a standard extension method).
Additional info from my comments below:
Azure GUI (Connection strings, Application settings) uses environment variables internally, so the appsettings.json will stay the same.
If there is a need for an appsettings.json's value to be overwritten during VSTS release activity (before it will be published to Azure), Colin's ALM Corner Build & Release Tools can be used. Here are the links to Colin's ALM Corner Build & Release Tools and tutorial.
Thanks #pasul, your help was much appreciated and helped me find an alternative solution. In order to deploy using VSTS task and replace application settings, you will need to add variables to the release task and pass into the task the json file in question for variable substitution.
When in "Deploy Azure App Service" release task you should see a "File Transforms and Variable Substitution" section. In here you will supply the path to the json file you want to swap variable values.
Then you will need to click on the options button on the release environment. You will see an option to configure variables in the pop out menu.
From here you can add the json property you want to modify as a variable. In my case the connection string. Which will look like the following:
"ConnectionStrings.DefaultConnection"
Then just put in your connection string value. VSTS will then swap out these values for you when deploying.
Reading through the azure documentation and various posts on here, i understand there should be a number of settings available to web apps running on azure, among them WEBSITE_HOSTNAMEand WEBSITE_SITE_NAME. These should also overwrite any existing configuration appsettings with same key.
When i attempt to run my app, it is reading the key from the config file (i.e. its not being overwritten by azure). If i remove the value from the config, i get an exception about not being able to pick up a config value.
Is there a step im missing? Are these values only available at certain tiers?
Those values are only available as environment variables, so you'll need to read them from there.
App settings set in the Web App blade override settings and become env variables, but these are just environment variables.