To ensure that your Azure Web App namedaz400-38443478-maincan retrieve secrets from an Azure Key Vault namedaz400-3844J478-kv1using a system managed identity with the principle of least privilege, follow these detailed steps:
Enable a System Managed Identity for the Azure Web App:
Navigate to the Azure Portal.
Go to the Azure Web Appaz400-38443478-main.
SelectIdentityunder theSettingssection.
In theSystem assignedtab, switch theStatustoOn.
ClickSaveto apply the changes.
Grant the Web App Access to the Key Vault:
Go to the Azure Key Vaultaz400-3844J478-kv1.
SelectAccess policiesunder theSettingssection.
Click onAdd Access Policy.
ChooseSecret permissionsand selectGetandList. This grants the app the ability to read secrets, adhering to the principle of least privilege.
Click onSelect principal, search for your Web App nameaz400-38443478-main, and select it.
ClickAddto add the policy.
Don’t forget to clickSaveto save the access policy changes.
Retrieve Secrets in the Web App Code:
In your Web App’s code, use the Azure SDK to retrieve the secrets.
For example, in a .NET application,you can use theAzure.IdentityandAzure.Security.KeyVault.Secretsnamespaces.
Utilize theDefaultAzureCredentialclass which will automatically use the system managed identity when running on Azure.
using Azure.Identity;
usingAzure.Security.KeyVault.Secrets;
var client = new SecretClient(new Uri("https://az400-3844J478-kv1.vault.azure.net/ "), new DefaultAzureCredential());
KeyVaultSecret secret = await client.GetSecretAsync("my-secret-name");
string secretValue =secret.Value;
Replace"my-secret-name"with the actual name of the secret you want to retrieve.
By following these steps, your Azure Web App will be able to securely retrieve secrets from the Azure Key Vault using a system managed identity, without needingto store credentials in the code, and adhering to the principle of least privilege. Remember to replace the placeholder names with the actual names of your Web App and Key Vault.
