Search code examples
azureasp.net-coreazure-keyvaultazure-app-configuration

Connecting an Azure App Service to a keyvault backed app configuration raises 403

I'd like to know, how I can properly connect my App Service to an App Configuration which is also backed via KeyVault.

Sadly I didn't really find a perfectly fitting tutorial, so now I kind of have something puzzled together, which doesn't work.

Here's my error:

Unhandled exception. Microsoft.Extensions.Configuration.AzureAppConfiguration.KeyVaultReferenceException: Key vault error. ErrorCode:, Key:copied out, Label:, Etag:copied out, SecretIdentifier:https://copied out.vault.azure.net/secrets/copied out
2021-03-21T00:07:43.756601504Z  ---> Azure.RequestFailedException: Service request failed.
2021-03-21T00:07:43.756608304Z Status: 403 (Forbidden)

2021-03-21T00:07:43.756614804Z Content:
2021-03-21T00:07:43.756614804Z {"error":{"code":"Forbidden","message":"The user, group or application 'appid=copied out;oid=copied out;iss=https://sts.windows.net/copied out/' does not have secrets get permission on key vault 'moonwatch;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287","innererror":{"code":"AccessDenied"}}}

(Note that I've copied out sensitive data

I'm getting worked up over this a bit. Here's my setup:

ConfigBuilder.AddAzureAppConfiguration(options =>
            {
                var credentials = new ManagedIdentityCredential();
                options.Connect(new Uri("https://copied out.azconfig.io"), credentials)
                    .ConfigureKeyVault(kv => kv.SetCredential(credentials));
            });

And here's how I currently have my resources configured:

  1. My App Service has a Managed, System Assigned Identity
  2. The app configuration contains all my configuration, plus some config entries backed by keyvault
  3. The keyvault is set to "Vault access" as Access policy, and is properly connected to the app configuration according to the setup procedure
  4. My App Service application is assigned the role "App Configuration Data Reader" in my app configuration.

I'm not entirely sure now where I am still going wrong with this setup now. I've now tried several things, switching to RBAC, changing settings here and there, but seems like nothing did the trick yet. RBAC changes the error to:

2021-03-21T00:07:43.756618504Z {"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller: appid=copied out;oid=copied out;iss=copied out/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getSecret/action'\r\nResource: '/subscriptions/copied out/resourcegroups/moonwatch/providers/microsoft.keyvault/vaults/copied out/secrets/copied out'\r\nAssignment: (not found)\r\nVault: copied out;location=eastus\r\n","innererror":{"code":"ForbiddenByRbac"}}}

Where am I going wrong? Do I somehow need to connect my app itself to keyvault as well? This looked like it is a transitive thing to me

Solution

  • The error occurs because your App Service does not have permission to access your Key Vault. The Azure App Configuration won't access your Key Vault. Your app does. In the Access Policy of your Key Vault, please grant the managed identity of your App Service the 'Get' secret permission.