September 19, 2020

Azure - Manage Secrets

az keyvault create \
    --resource-group <your-unique-resource-group-name> \
    --location centralus \
    --name <your-unique-vault-name>

Each secret in a vault has a unique URL, and secret values are retrieved with HTTP GET requests. Add the secret to the vault:

az keyvault secret set \
    --name <your-secret-key-name> \
    --value <your-secret-value> \
    --vault-name <your-unique-vault-name>
We're faced with the the bootstrapping problem where our application secrets are secure in the vault, but we still need to keep a secret or certificate outside of the vault in order to access them! Managed identities for Azure resources is an Azure feature that your app can use to access Key Vault and other Azure services without having to manage even a single secret outside of the vault.

We need to create an Azure App Service app {First create the plan, then the app}, set it up with a managed identity and our vault configuration, and deploy our code.

Create an App Service plan:

az appservice plan create \
    --name <your-plan-name> \
    --sku FREE \
    --location centralus \
    --resource-group <your-unique-resource-group-name>

Create the Web App that uses the App Service plan you just created:

az webapp create \
    --plan <your-plan-name> \
    --runtime "node|10.6" \
    --resource-group <your-unique-resource-group-name> \
    --name <your-unique-app-name>

Run this command to create the application settings:

az webapp config appsettings set \
    --resource-group <your-unique-resouce-group-name> \
    --name <your-unique-app-name> \
    --settings 'VaultName=<your-unique-vault-name>' 'SCM_DO_BUILD_DURING_DEPLOYMENT=true'

Set the SCM_DO_BUILD_DURING_DEPLOYMENT setting to true so that App Service restores our application's packages on the server and creates the necessary configuration to run the app.

Follow the App Service best practice of putting the VaultName configuration in an application setting instead of a configuration file.

To enable managed identity on an app:

az webapp identity assign \
    --resource-group <your-unique-resource-group-name> \
    --name <your-unique-app-name>