I am using Azure Web App service. Currently, I am storing the plain connection string to the database, Azure storage in the Application Settings section in the configuration tab of the Web App Service.
Instead of storing the plain connection string in configuration. How can I store the connection string in Azure Vault, then reference it in the Application setting so that the plain connection string are not stored in the configuration settings?
There are two ways to reference Key Vault in Azure Web Apps. You can do a complete reference:
@Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)
Or you can use the alterative:
@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)
In order to read secrets from Key Vault, you need to have a vault created and give your app permission to access it.
Create a key vault by following the Key Vault quickstart.
Create a managed identity for your application.
Create an access policy in Key Vault for the application identity you created earlier. Enable the "Get" secret permission on this policy. Do not configure the "authorized application" or applicationId settings, as this is not compatible with a managed identity.
Full steps on setting this up: https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references