Provide Key Vault authentication with a managed identity

A managed identity from Azure Active Directory allows your app to easily access other Azure AD-protected resources. The identity is managed by the Azure platform and does not require you to provision or rotate any secrets. For more information, see Managed identities for Azure resources.

This article shows you how to create a managed identity for an App Service application and use it to access Azure Key Vault. For applications hosted in Azure VMs, see Use a Windows VM system-assigned managed identity to access Azure Key Vault.

Use Azure Cloud Shell

Azure hosts Azure Cloud Shell, an interactive shell environment that you can use through your browser. You can use either Bash or PowerShell with Cloud Shell to work with Azure services. You can use the Cloud Shell preinstalled commands to run the code in this article without having to install anything on your local environment.

To start Azure Cloud Shell:

Option Example/Link
Select Try It in the upper-right corner of a code block. Selecting Try It doesn't automatically copy the code to Cloud Shell. Example of Try It for Azure Cloud Shell
Go to https://shell.azure.com, or select the Launch Cloud Shell button to open Cloud Shell in your browser. Launch Cloud Shell in a new window
Select the Cloud Shell button on the top-right menu bar in the Azure portal. Cloud Shell button in the Azure portal

To run the code in this article in Azure Cloud Shell:

  1. Start Cloud Shell.

  2. Select the Copy button on a code block to copy the code.

  3. Paste the code into the Cloud Shell session by selecting Ctrl+Shift+V on Windows and Linux or by selecting Cmd+Shift+V on macOS.

  4. Select Enter to run the code.

Prerequisites

To complete this guide, you must have the following resources.

Adding a system-assigned identity

First, you must add a system-assigned identity to an application.

Azure portal

To set up a managed identity in the portal, you will first create an application as normal and then enable the feature.

  1. If using a function app, navigate to Platform features. For other app types, scroll down to the Settings group in the left navigation.

  2. Select Managed identity.

  3. Within the System assigned tab, switch Status to On. Click Save.

Azure CLI

This quickstart requires the Azure CLI version 2.0.4 or later. Run az --version to find your current version. If you need to install or upgrade, see Install the Azure CLI.

To sign in with Azure CLI, use the az login command:

az login

For more information on login options with the Azure CLI, see Sign in with Azure CLI.

To create the identity for this application, use the Azure CLI az webapp identity assign command or az functionapp identity assign command:

az webapp identity assign --name myApp --resource-group myResourceGroup
az functionapp identity assign --name myApp --resource-group myResourceGroup

Make a note of the PrincipalId, which will be needed in next section.

{
  "principalId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "tenantId": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
  "type": "SystemAssigned"
}

Grant your app access to Key Vault

Azure portal

  1. Navigate to Key Vault resource.

  2. Select Access policies and click Add Access Policy.

  3. In Secret permissions, select Get, List.

  4. Choose Select Principal, and in the search field enter the name of the app. Select the app in the result list and click Select.

  5. Click Add to finish adding the new access policy.

Azure CLI

To grant your application access to your key vault, use the Azure CLI az keyvault set-policy command, supplying the ObjectId parameter with the principalId you noted above.

az keyvault set-policy --name myKeyVault --object-id <PrincipalId> --secret-permissions get list 

Next steps