"Key vault reference error" in azure web app configuration setting
I have a private certificate that was generated by azure for a web app for linux containers. I want to pass this value to my .net core app via the web app configuration settings in the the azure portal. This is part of a pipeline CI-CD process and the ability to specify Identity Server key values in app configuration helps to keep those values out of the source code.
PROBLEM
I keep getting the following error by the setting
❌Key vault Reference
also shown here:
I am trying to use the secret value in the format suggested by the microsoft docs here I have tried the following formats:
@Microsoft.KeyVault(https://myvault.vault.azure.net/secrets/myCertName/versionGUID)
@Microsoft.KeyVault(VaultName=myvault;SecretName=myCertName;SecretVersion=versionGUID)
ALSO, I have added the web app to the access policies of the azure key vault
EDIT 1:
There was a format error and I had the wrong secret name so the following format worked:
@Microsoft.KeyVault(https://myvault.vault.azure.net/secrets/myCertName/versionGUID)
However I ran into a new error:
Key Vault reference was not able to be resolved because site Managed Identity not enabled MSINotEnabled
SO I went to the identity tab of the web app and turned on managed identity for the app.
I am now stuck with the following error:
Key Vault reference was not able to be resolved because site was denied access to Key Vault reference's vault.
I found multiple sites that said if you just deleted the setting, saved, and then add the setting back it should resolve. This DID NOT work for me.
I also tried granting "Full access" to the web app in the azure key vault access policies.
Firstly, the reference format @Microsoft.KeyVault(https://myvault.vault.azure.net/secrets/myCertName/versionGUID) is wrong, it should be @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/myCertName/versionGUID).
Secondly, I don't think you granted the permission for the MSI of your web app correctly.
From the description in your original post:
ALSO, I have added the web app to the access policies of the azure key vault
Then in your EDIT 1:
SO I went to the identity tab of the web app and turned on managed identity for the app.
Obviously the order is wrong, if you didn't enable the MSI of the app before, how you add it to the access policy? I suppose you may added the wrong one.
So in your case, make sure you have added the MSI of the web app to the access policy correctly.
1.Navigate to the web app -> Identity -> copy the Object ID(also make sure you are using system-assigned MSI, the user-assigned MSI is not supported in keyvault reference feature)
2.Then in the Access policies of the keyvault -> Add Access Policy -> seacrh for the Object ID in step 1 and add it with the Get Secret permission like below -> select and save.
3.Navigate to the app and check it, it works fine.
- Cannot add data to a ComplexField using Python SDK for Azure AI Search
- letsencrypt cert request failing for AKS ingress
- Playwright Test execution on Azure Windows machine fails in pipeline with error as No test found, It works perfectly with same command
- How to Combining PowerShell Output from multiple server to Single csv
- How can I find all Azure app registrations with API permissions to a specific app registration?
- Azure Deployment Groups vs Agent Pools
- I cannot extract .sql CREATE TABLEs for each table in my Azure SQL Database in my Azure Repo
- Can not read blobs through BlobContainerClient for blobs with empty folder prefixes
- Are task logs deleted when the node is deleted due to autoscaling in Azure Batch service?
- Azure Function Blob Storage Monitor
- I want to fetch Azure SQL table data from ADF to use as input in copy activity
- How to access code of my Azure website?
- Run JMeter script in AzureDevOps - Bearer Access Token generation
- Azure Function - HTTP trigger request length exceeded
- How and where to define an environment variable on Azure
- Stream Analytics doesn't output the data to SQL but does to a blob storage
- While Hierarchical namespace enabled cannot upload blob with metadata hdi_isfolder
- Cannot log in to Visual Studio Account in VS 2022
- SchemaColumnConvertNotSupportedException: column: [Col_Name], physicalType: INT64, logicalType: string
- create Azure Keyvault secret without exposing values
- Can you create 'User Flows' in Azure with a pay-as-you-go account
- Deploy ARM template at management group scope with Azure DevOps Pipeline
- How to make an azure function that deploys my bicep script from Azure Storage Account
- Basic SQL commands in Terraform
- Can we Deploy Web Application in Azure OpenAI of Production Level
- Get-MgGroupMember by display name instead of userID
- Azure DevOps REST API parent relation link to existing work item error
- What should be put to 'repoOwners' in Managed Identity Federated Credentials policy?
- How to get list of users from CSV file whose LastSignInDate column has a date that is before 90 days from current date or is empty?
- Langchain cannot connect with Azure SQL Database