Using keyvault references for app settings in a webapp with slots not working for the slots

Owin Gruters - iO 46

I have a webapp with 4 slots, default + 3. The appsetings with references to the keyvaults needs to be te same for all slots. Hence a non-slot setting appsetting should do the trick.

But it doesn't. According to this article https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli#source-app-settings-from-key-vault: "most" app settings using key vault references should be marked as slot settings, as you should have separate vaults for each environment.

For my use case this is not the case, but it seems that ALL app settings have to be marked as slot setting, as my code cannot use the app setting value on the slots. (and yes the managed ID of the slot has LIST and GET access to the keyvault)

Is that correct, and if so, can that be changed? I can determine myself is this should be a slot setting or not.

Note that this only applies to appsetting with a keyvault reference, not non-secret values managed in the app settings themselves.

Regards

Grmacjon-MSFT 17,366 Reputation points

2024-06-26T06:12:00.1166667+00:00

Hello@Owin Gruters - iO Yes, generally all app settings with Key Vault references need to be marked as slot settings to function properly across slots. This behavior is likely due to how Azure App Service handles Key Vault references and slot swaps. When an app setting is not marked as a slot setting, it doesn't get "swapped" during a slot swap operation. However, the Key Vault reference resolution might be tied to the slot's identity, which does get swapped. Currently, there isn't a straightforward way to change this behavior that I am aware of, but I will reach out internally to the engineering to see if there is a work around for your scenario and get back to you
Owin Gruters - iO 46 Reputation points

2024-07-03T10:56:11.8866667+00:00

@Grmacjon-MSFT Love to hear the available workaround if there is one and preferably a fix.

1 answer

Ben Gimblett 3,840 Reputation points Microsoft Employee

2024-07-04T14:06:41.6666667+00:00

This works for me so long as I ensure both the app and the slot
(a) Is linked to a user msi
(b) make sure the user msi is assigned to the slot and that keyvault reference knows to use it as per https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli#access-vaults-with-a-user-assigned-identity

The user MSI is the same for the site and the slot
Slot

Site

KV REF (identical for site and slot)
Please sign in to rate this answer.
Ben Gimblett 3,840 Reputation points Microsoft Employee

2024-07-04T14:08:03.47+00:00

It wont work with an MSI because the MSI (which is the security context) is unique per app and the slot is just another app

Owin Gruters - iO 46 Reputation points

2024-07-04T14:53:08.93+00:00

@Ben Gimblett so you say it works with a user MSI instead of using a system assigned MSI, right?
It is still strange, because you might just as well also allow the slot system assigned MSI's permissions on the keyvaults. But that also does not work. And this is what I would expect to work,

Thanx for the workaround, I'll check it out
Sign in to comment

Share via

Using keyvault references for app settings in a webapp with slots not working for the slots

1 answer