Add Key Vault Secret to App Service Settings

[thepaulmacca]

This is probably something simple for someone who knows what they're doing to answer 😀

I have a key vault secret (SQL connection string) that I need to add to app service settings. Does anyone have an example of how I can do this in bicep? I'm still learning this, so an example would be handy

Not sure if this needs to be done in JSON still or not. Thanks

[alex-frankel]

Has the key vault and secret already been created? Or are you looking to create that as part of the bicep code?

If it's the former, then you would reference the secret in a parameters file the same way you would for an ARM template and provide that parameters file to the deployment client you are using, so you would do something like:

az deployment group create -f main.bicep -p params.json

You also need to make sure the key vault has been enabled for template deployment which you can do when you create the key vault or you can enable it at any time in the portal:

If it's the latter, then you may be blocked by #1571. The only way to reference a secret dynamically is to use a nested deployment (now a module in bicep).

Hope that helps, but let me know if you need more info/get stuck!

[miqm]

you're mixing two different functionalities. app service key vault references are just string settings in certain format. I'll provide one you you later, can't do this now.

[thepaulmacca]

Thanks very much, appreciate the quick replies!

[alex-frankel]

TIL!

Is it this? @thepaulmacca have you seen this yet? I can try to work on something

https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references#source-application-settings-from-key-vault

[thepaulmacca]

Yep this is what I'm after! I've been battling with this doc quite a bit today. I just can't get my head around how to do this in bicep but if you find a way to do it, you'll make my week! 😀

Even if we could just do the app insights connection string as an example, it'll help me visualise it a bit more

I currently have the key vault and secrets in a single module, so I guess I'd have to add an 'existing' function just before the app settings in the appService module? I'm not sure to be honest, I'm still learning my way around bicep

Appreciate your help!

[alex-frankel]

@bmoore-msft do you have a quickstart template for keyvault references in app settings? Looks like they implemented some custom way of handling this :) The doc leaves a lot to be desired because they only provide an incomplete template and the variable definitions are not declared...

[miqm]

Here's an working example how to use App Service with Key Vault references in settings:

param location string = resourceGroup().location
@secure()
param secretValue string

resource serverFarm 'Microsoft.Web/serverfarms@2020-12-01' = {
  name: 'app-plan'
  location: location
  kind: 'linux'
  sku: {
    name: 'B1'
  }
  properties: {
    reserved: true
  }
}
var websiteName = 'website-${uniqueString(resourceGroup().id)}'

resource website 'Microsoft.Web/sites@2020-12-01' = {
  name: websiteName
  location: location
  properties: {
    serverFarmId: serverFarm.id
  }
  identity: {
    type: 'SystemAssigned'
  }

  resource config 'config' = {
    name: 'web'
    properties: {
      alwaysOn: true
    }
  }
  resource settings 'config' = {
    name: 'appsettings'
    properties: {
      SuperSecret: '@Microsoft.KeyVault(SecretUri=${keyVault::secret.properties.secretUriWithVersion})'
    }
  }
}

resource keyVault 'Microsoft.KeyVault/vaults@2021-04-01-preview' = {
  name: 'kv-${uniqueString(resourceGroup().id)}'
  location: location
  properties: {
    enableRbacAuthorization: true
    sku: {
      name: 'standard'
      family: 'A'
    }
    tenantId: subscription().tenantId
  }
  resource secret 'secrets' = {
    name: 'mySuperSecret'
    properties: {
      value: secretValue
    }
  }
}

var KEY_VAULT_SECRETS_USER_ROLE_GUID = subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')

resource keyVaultWebsiteUser 'Microsoft.Authorization/roleAssignments@2020-04-01-preview' = {
  name: guid('SecretsUser', websiteName)
  scope: keyVault
  properties: {
    principalId: website.identity.principalId
    roleDefinitionId: KEY_VAULT_SECRETS_USER_ROLE_GUID
  }
}

Mind that this might not deploy successfully at first run. Problem is that enabling identity on appService can take few seconds and unfortunately the RBAC assignment might start creating before website identity is available. If it does - it will fail with message that identity was not found in your tenant. Redeployment will fix it though, however this is something worth being addressed (@alex-frankel)

[bmoore-msft]

thanks @miqm - the official doc is a pretty poor example... what the reference wants the resourceId of the secret, e.g.:

reference(resourceId('Microsoft.KeyVault/vaults/secrets', variables('keyVaultName'), variables('secretName')), '2019-09-01').secretUriWithVersion

Or the simpler bicep version above...

For this problem:

Mind that this might not deploy successfully at first run. Problem is that enabling identity on appService can take few seconds and unfortunately the RBAC assignment might start creating before website identity is available. If it does - it will fail with message that identity was not found in your tenant

Add principalType: 'ServicePrincipal' to the roleAssignment and that should solve the "not found" error.

[miqm]

I'd suggest outputting secret.properties.secretUriWithVersion from the kv module and consuming it in webapp module.

In current bicep, trying to use existing syntax is more complicated than it should.

[thepaulmacca]

Right ok thanks, I've now created outputs for the secrets, ready to be consumed

I have 3 secrets:

• App Insights Conn String
• SQL Conn String
• Storage Conn String

At the moment, modules are deployed in this order:

• Storage
• Sql
• App Insights
• App Service
• Key Vault

I did it like this so the key vault had outputs to create secrets from. Do you have an example of how I would now consume the secret in the app service module? I'm guessing it needs some kind of 'dependsOn' here, but again because of the modules I'm not sure how to go about it now

I get an 'expression is involved in a cycle error' (keyVaultModule > appServiceModule)

Sorry for all the questions, but feel like we're this close now!

[miqm]

First of all - you do not output secret values! you output a reference to secret, not value itself.

Second, you most probably have cyclic reference, as you use accessPolicies in Key Vault, where you need to first create appService and get it's identity so you can permission it in key vault.

My idea to your setup would be to have a key vault being created in Key Vault module. From that module, output the keyVault.id value. Then, in each of the modules writing secrets (Storage, Sql, AppInsights) use following code i.e. for storage Account:

param keyVaultId string

resource keyVault 'Microsoft.KeyVault/vaults@@2019-09-01' existing = {
  name: last(split(keyVaultId, '/'))
  resource secret 'secrets' = {
    name: storageAccountKey
    properties: {
    value:  listKeys(storageAccount.id, '2019-04-01').keys[0].value
   }
  }
}
output storageAccountKeySecretUri string = keyVault::storageAccountKey.properties.secretUriWithVersion

Additionally, in appService, assign SecretUser role to the AppService identity on the KeyVault.

If you want to stick with Key Vault Access Policies, you need to use existing on Storage, SQL and AppInsights in keyvault module, to get the secrets via reference.

However I suggest RBAC approach. it's more cleaner and it has more brighter future :)

[thepaulmacca]

Sorry I did mean secret references, not values, long day :)

This is great, I'll give it a go. Thanks again for your help here, I really do appreciate it!

[thepaulmacca]

@miqm @alex-frankel @bmoore-msft

Just thought I'd update this thread to let you know that I've now managed to get this working! Thank you so much for all your help, really appreciate it 👍