Managed Identity access to KeyVault for Azure App Services

Question

To date we've been using client secrets and certificates to access KeyVault, for our App Service apps. On the local machine, for purposes of debug mode, the developers maintain copies of these secrets and certificates. Would be nice if a managed identity could spare us this maintenance.

In this scenario, would I use:
(1) System-Assigned managed identity?
(2) User-Assigned?

Not all our developers have the same permissions in Azure. I'm worried that some won't be able to access keyvault in debug mode. Is there a way to use RBAC to grant them permissions on the managed-identity? And if so, what kind of permissions would they need? (I've never actually used RBAC).

Answer 1

@JAL Thank you for reaching out.

If the developer has an account in the tenant, you should configure access policies with at least "Get" and "List" permissions. The developer should also login to Visual Studio with the same account.

You can then use DefaultAzureCredential to seamlessly switch between local development and Managed Identity when deployed to App Service without any code changes.

// Create a secret client using the DefaultAzureCredential  
var client = new SecretClient(new Uri("https://YOURVAULTNAME.vault.azure.net/"), new DefaultAzureCredential());  

If developers do not have access to the tenant, authenticating via Client credentials and Client certificates are the only options right now.

----------

If an answer is helpful, please "Accept answer" or "Up-Vote" for the same which might be beneficial to other community members reading this thread.