Azure Key Vault with Managed Service Identity on self Hosted Web App - azure

Could anyone provide some instruction on how you would go about assigning a Managed Service Identity to a Remotely-hosted Web app?
My application is registered in AAD to enable the use of authentication. I want to remove the appSecret from appsettings and store that in the KeyVault and access the KeyVault using the MSI.
I have looked at the MS docs and followed a few guides, but have not, as of yet, managed to successfully retrieve my secret.
In the first instance, I just wanted to store a secret and get that back, and once that was working, get the client secret using the same approach.

Managed identity only works when you host your app in Azure.
This is because it works as a local endpoint inside the Azure instances.

Related

Windows VM system-assigned managed identity to access Azure Key Vault in Typescript?

How we can get the Access to Azure key vault secrets from Typescript app.
We have access to the VM on which the application is running.
What are the steps and code we need to place in Type script react application to get azure key vault access?
It is not possible and not recommended to use Azure key vault in Typescript app. It is a security risk, as anyone can see your KeyVault connection details from browser console and access your secrets.
You should not access secured resources directly from client code.
https://www.npmjs.com/package/#azure/keyvault-secrets
Angular - Azure Key Vault Managing Vault Access secrets
https://learn.microsoft.com/en-us/answers/questions/318983/is-it-possible-to-use-key-vault-in-static-web-appl.html

Is Azure Managed Identity enabled for Windows desktop app?

I followed the instructions in this tutorial (option #1 auto-configure): https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-windows-desktop
The generated WPF desktop app works fine and I am able to get it to authenticate to my Azure AD account.
Does this mean that the desktop app is using Azure Managed Identity?
If not, what else do I have to do to accomplish this?
My ultimate goal is to be able to modify the desktop application and access secrets in Azure Key Vault, without having to hardcode credentials or use environment variables.
Does this mean that the desktop app is using Azure Managed Identity?
No, it does not mean that, the desktop app from this doc just uses an AAD App for you to login, nothing related to the managed identity(MSI).
If not, what else do I have to do to accomplish this?
If you want to use MSI to access secrets in azure keyvault, you need to run your code in azure services that supported MSI e.g. azure app service, azure VM, etc, MSI is not available anywhere else.
For the code, just use the Azure Key Vault secret client library for .NET, it uses DefaultAzureCredential to auth, it will try several auth ways automatically, one of them is ManagedIdentityCredential i.e. MSI.
var client = new SecretClient(vaultUri: new Uri(keyVaultUrl), credential: new DefaultAzureCredential());
Also you should note, when you use MSI to access azure keyvault secret, it is a non-interactive way and no user will be asked to login(i.e. no user involved), because MSI is essentially a service principal in AAD, when using it to auth, it just makes an API call to the azure instance metadata endpoint to get the token, then use the token to auth.

Getting Azure key vault certificates works only from local machine

I am using Identity server to handle logins in my app hosted in MS Azure. I am using Azure key vault to store my certificates. When I am trying to obtain certificates from Azure Key Vault on local machine, everything works fine, but after deploying to the server, I am getting the error described bellow.
I have followed this tutorial: https://damienbod.com/2020/04/09/using-certificates-from-azure-key-vault-in-asp-net-core/
I have created Azure AD and registered my app into it. Also I have created Azure Key Vault, added my app into Key Vault access principles and inside my app service I have allowed identity assigned by the system.
When I deployed this app on the server I am getting this error
In the key vault I allowed all permissions for this app
Is there some more setting, which needs to be done before deploying?
Thanks.
After you enable the system-assigned identity for your app service, you also need to add it to the Access policies of the keyvault with the correct certificate permission(just navigate to the Access policies, search for the web app name and add it).
The sample you provided use the AzureServiceTokenProvider, when you deploy your code to app service, it should use the system-assigned identity to access the keyvault in your case.
To let this work, you also need to specify the AzureServicesAuthConnectionString environment variable in your app service with RunAs=App, see this link.

Azure website not able to communicate to the third party API

Team,
I have recently migrated my azure classic portal resources to CSP subscription. I have successfully converted my azure cloud service to azure app website in the CSP subscription. But there is one thing i am not able connect. Its the third party API When we had the cloud service we had a .pfx uploaded to azure and in the code we use to create a uri which consists of the certifcate key + certificate secret key.
The certificate key is got directly from web.config. But the certificate secret key is got from EncryptedSettings.Appsettings("SecretKeyName").
This is basically got from the encrypted app setting done earlier by
https://eren.ws/2014/02/04/encrypting-the-web-config-file-of-an-azure-cloud-service/
But i am not sure what way should we implement on Azure website.
I have tried implementing the same but unfortunately it seems the secret key retrieval technique for cloud service is not the same as in the azure web app service.
When i debug the azure web site i can see that it gives the error as.
Failed to decrypt using provider ‘CustomProvider’. Error message from the provider: Value cannot be null.
Parameter name: keyObject
Can anyone please guide me ?
Rather than storing secrets in your config, you may wish instead to store them Azure KeyVault (which also gives you secret management capabilities etc) and then load the secrets at runtime.
KeyVault documentation:
https://learn.microsoft.com/en-us/azure/key-vault/
Specifically how to use keyvault with azure websites:
https://learn.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application
And these days, don't bother with manual authentication to use keyvault, instead use "Managed Service Identity", here's a tutorial:
https://azure.microsoft.com/en-gb/resources/samples/app-service-msi-keyvault-dotnet/
Interestingly the second tutorial does mention specifically using certificates for the purposes of authentication (against keyvault), you may wish to use this technique for yourself as a simplified way to get direct access to your certificate.

What is the use of Azure Key Vault in case of WebApp

We have hosted our application on Azure WebAPP and wanted to use SSL on this. Should we use traditional way to attach this certification to Azure WebAPP or should we user Azure Key Vault. Since access to Azure WebAPP through RDP is not available and Azure is managing our WebAPP, can certification be compromised (if the Azure key vault is not used)?
I can understand its usage in case of VM, but on Azure, WebApp does it add any value.
Azure Web App doesn't rely on Azure Key Vault for any of its functionalities.
However, if you are using App Service Certificate, then you end up configuring Azure Key Vault for storing the secret. Other use cases are also there, but those are from an application perspective.

Resources