Skip to content

Integrating with Key Vault

Jump to bottom
Sven Aelterman edited this page Feb 14, 2022 · 3 revisions

To protect the application settings in the Static Web App, we recommend you integrate with Key Vault. This Wiki page describes the process of creating a Key Vault, configuring managed identity for the Static Web App to access the Key Vault, creating secrets, and referencing them in the Static Web App (SWA) configuration.

Creating a Key Vault instance

When creating a Key Vault instance, it's recommended to create it in the same region as the SWA.

When configuring the access policy, select Azure role-based access control.

Assign, at a minimum, the Key Vault Secrets Officer role to the user who will add the secrets to the Key Vault.

Assigning a system assigned managed identity

Note: You can also use a user assigned managed identity for the SWA, but that is beyond the scope of this guide.

  1. In the Azure Portal, navigate to the Static Web App.
  2. Select Identity from the left menu. You will see the status of the System Assigned managed identity.
  3. Change the Status to On.
  4. Select Save and Yes.
  5. Once the system assigned managed identity is created, the new identity's Object (principal) ID will be shown.

Configure access to Key Vault

While still in the system assigned managed identity page of the SWA:

  1. Select Azure role assignments.
  2. Select + Add role assignment.
  3. From the Scope dropdown, select Key Vault.
  4. Select the subscription and the Key Vault resource you created above.
  5. From the Role dropdown, select Key Vault Secrets User.
  6. Select Save.

Creating Key Vault secrets

  1. In the Static Web App, navigate to Configuration.

  2. The following configuration values would be considered secrets; however, you can choose to add any of the configuration values to the Key Vault.

    • AZURE_CLIENT_SECRET
    • FILESYSTEMS_API_KEY
    • CONFIGURATION_API_KEY

    When deploying multiple instances of Storage-as-a-service that will share configuration values, using Key Vault to centralize them can be very effective.

  3. In the Azure Portal, navigate to the Key Vault configured for the SWA.

  4. In the left menu, select Secrets.

  5. For each secret value to be added:

    1. Select + Generate/Import.

    2. Complete the Create a secret dialog:

      • Upload options: Manual
      • Name: The name does not need to match the configuration value exactly, but for ease of reference, you should use at least reference the configuration setting's name, e.g., Saas-Azure-Client-Secret.
      • Value: Enter the matching value of the SWA configuration setting.
      • Content type: You may choose to enter a description of the secret.
      • Do not set an activation or expiration date.

    3. Select Create.

    4. Select the newly created secret, select the current version, and copy the secret identifier. This secret identifier will need to be used later.

Referencing the Key Vault secrets from the Static Web App configuration

  1. Return to the Static Web App configuration screen.

  2. For each application setting that has a secret in Key Vault:

    1. Edit the value.
    2. Change the value to this pattern: @Microsoft.KeyVault(SecretUri=<YOUR-KEY-VAULT-SECRET-URI>). Change <YOUR-KEY-VAULT-SECRET-URI> to the secret identifier you captured when creating the secret.
    3. Select OK.

  3. Select Save to persist the application settings.

  4. Test the application to ensure that the values are being retrieved correctly from Key Vault.

Reference

https://docs.microsoft.com/en-us/azure/static-web-apps/key-vault-secrets

Clone this wiki locally