Store and Use Environment Variables from Azure Key Vault in Azure App Service

You can store and use environment variables from Azure Key Vault in Azure App Service to securely manage sensitive data. Azure Key Vault provides a secure way to store and manage sensitive data such as API keys, passwords, and certificates.

To use environment variables from Azure Key Vault, you'll need to create a Key Vault and add the variables you want to use in your App Service. This is a straightforward process that can be completed in just a few steps.

Azure Key Vault allows you to store sensitive data as secrets, which can then be retrieved and used in your App Service using environment variables. This provides an additional layer of security and helps to prevent sensitive data from being exposed in your code.

Azure App Service Environment Variables are a powerful tool for customizing your applications. They allow you to inject configuration settings directly into your code without having to hardcode them.

You can set environment variables in Azure App Service using prefixes like APPSETTING_, MAINSITE_, and SCMSITE_. These prefixes signify that the variable is set by the customer as an app setting in the app configuration.

For example, if you prefix a variable with APPSETTING_, it will be injected into a .NET app as an app setting.

Some common prefixes include APPSETTING_, MAINSITE_, SCMSITE_, and SQLCONNSTR_. These prefixes are used to signify different types of variables, such as app settings, custom connection strings, and SQL Server connection strings.

Here are some specific prefixes and their uses:

These are just a few examples of the many prefixes available in Azure App Service. By using the right prefix, you can ensure that your environment variables are injected correctly into your application.

To access Azure Key Vault from an Azure App Service, you can use managed identity to authenticate. Managed identity automatically manages application credentials. You can create a managed identity for your application platform using the Azure CLI command `az webapp-identity assign`.

To grant your application permissions to your key vault through Role-Based Access Control (RBAC), you can assign a role using the Azure CLI command `az role assignment create` or the Azure PowerShell cmdlet `New-AzRoleAssignment`. This will allow your application to access the key vault.

You can also use Azure Key Vault references for Azure App Service to directly reference Key Vault secrets as App Settings. This allows you to securely store your secrets in Key Vault without any code changes required in your application.

Azure App Service and Key Vault are powerful tools for managing your application's secrets and keys. You can store these sensitive values securely in Key Vault and then access them as environment variables in your App Service.

The environment variable prefixes used by App Service are crucial for this process. These prefixes signify the purpose of the variable and how it's injected into your application.

One of the most important prefixes is APPSETTING_, which signifies that a variable is set by the customer as an app setting in the app configuration. This prefix is injected into a .NET app as an app setting.

Other prefixes include MAINSITE_, SCMSITE_, SQLCONNSTR_, SQLAZURECONNSTR_, POSTGRESQLCONNSTR_, CUSTOMCONNSTR_, MYSQLCONNSTR_, AZUREFILESSTORAGE_, AZUREBLOBSTORAGE_, NOTIFICATIONHUBCONNSTR_, SERVICEBUSCONNSTR_, EVENTHUBCONNSTR_, DOCDBCONNSTR_, REDISCACHECONNSTR_, and FILESHARESTORAGE_. These prefixes signify specific purposes, such as connection strings for various databases and storage services.

Here's a summary of the prefixes and their purposes:

By understanding these prefixes, you can ensure that your application is accessing the correct variables and secrets from Key Vault.

In Azure App Service, environment variables can be used to store sensitive information, such as connection strings and API keys. You can configure these variables in the Azure portal or through the Azure CLI.

To link your Key Vault secret to an Azure Web App, you'll need to set the `WEBSITE_KEYVAULT_REFERENCES` environment variable. This variable contains information about all Key Vault references currently configured in the app.

The following table shows environment variable prefixes used by App Service for various purposes:

Caching is an essential feature in Azure App Service that helps improve performance by storing frequently accessed files locally on an instance. This is achieved through the dynamic cache, which caches recently accessed files locally, and is invalidated when the file is modified.

The dynamic cache can be enabled by setting the WEBSITE_DYNAMIC_CACHE variable to 1, which includes both file content and directory/file metadata. This is the default setting for Windows apps and Linux apps created with the WordPress template. For all other Linux apps, the default is 0.

To conserve local disk use, you can set the WEBSITE_DYNAMIC_CACHE variable to 2, which caches only directory/file metadata. This is particularly useful for apps that don't require full content caching.

Here are the available options for the WEBSITE_DYNAMIC_CACHE variable:

You can also disable write access to the app root by setting the WEBSITE_READONLY_APP variable to 1. This is useful when using dynamic cache, as it prevents deployments from getting blocked by locked files.

To configure your Azure App Service, you'll need to update your application code to retrieve a secret from Key Vault. This involves setting up web access to Key Vault and configuring your application to use it.

You can find the database connection string under the Umbraco:CMS:ConnectionStrings section in the appsettings.json file. The connection string can be edited by selecting Advanced Edit under Connection Strings.

The next step is to add the Azure Key Vault endpoint to the appsettings.json file. You can add this endpoint in the root or anywhere in the appsettings.json as long as it is resolved in the ConfigureAppConfiguration method.

To link your Key Vault Secret to an Azure Web App, you'll need to paste a JSON Object into the Application Settings. This Object should include the Key Vault name, secret name, and version ID. You can obtain the Secret Uri by visiting the specific version of your secret and copying the URL.

To set up Azure Key Vault secret store, create a component of type secretstores.azure.keyvault. This is a crucial step in configuring your Azure App Service.

You can refer to the secret store components guide for detailed instructions on how to create and apply a secret store configuration. This guide is a valuable resource for anyone looking to set up their Azure Key Vault secret store.

See the guide on referencing secrets to learn how to retrieve and use the secret with Dapr components. This is an essential step in integrating your secret store with your application.

You'll also need to configure the component, which is covered in the Configure the component section below. Make sure to check this section for specific instructions on how to complete this step.

Here's a quick summary of the steps to create a secret store configuration:

You can configure language-specific settings for your Azure App Service to ensure it's optimized for your target audience. This includes setting the default language and culture.

The default language setting determines the language in which the App Service's UI is displayed. You can set it to any language supported by Azure, such as English, Spanish, or French.

Language-specific settings also allow you to configure the culture, which affects how dates, times, and numbers are displayed in your App Service. For example, in the United States, the culture is set to en-US, while in France it's set to fr-FR.

You can configure language-specific settings at the App Service level or at the individual configuration file level. This gives you flexibility in managing language settings for your App Service.

Cross-Origin Resource Sharing (CORS) is an important configuration in Azure App Service that enables secure communication between different domains.

The WEBSITE_CORS_ALLOWED_ORIGINS environment variable shows the allowed origins for CORS, which is a read-only setting.

To enable CORS, you need to specify the allowed origins in the WEBSITE_CORS_ALLOWED_ORIGINS variable.

CORS also supports credentials, which can be enabled or disabled using the WEBSITE_CORS_SUPPORT_CREDENTIALS environment variable.

This setting determines whether the Access-Control-Allow-Credentials header is set to True or False.

Here's a summary of the CORS-related environment variables:

Performance counters in Azure App Service Configuration are a valuable tool for monitoring your application's performance. They provide a dynamic and changing view of your application's metrics.

The WEBSITE_COUNTERS_ASPNET variable returns a JSON object containing ASP.NET perf counters. This is useful for monitoring the performance of your ASP.NET application.

The WEBSITE_COUNTERS_APP variable returns a JSON object containing sandbox counters. This helps you monitor the performance of your sandboxed application.

The WEBSITE_COUNTERS_CLR variable returns a JSON object containing CLR counters. CLR counters are essential for monitoring the performance of the Common Language Runtime.

The WEBSITE_COUNTERS_ALL variable returns a JSON object containing the combination of the other three variables. This provides a comprehensive view of your application's performance counters.

Here's a summary of the performance counters available in Azure App Service Configuration:

To create an App Service plan, you can use the Azure CLI command az appservice plan create. This command is used to create an App Service plan named myAppServicePlan in the FREE pricing tier.

The Azure CLI displays information about the created App Service plan, which includes details such as the plan's name and pricing tier.

To configure the web, you'll need to connect your web app to Key Vault. This involves updating your application code to retrieve a secret from Key Vault.

You can find the database connection string under the Umbraco:CMS:ConnectionStrings section in the appsettings.json file. This is where you'll need to add the Azure Key Vault endpoint.

To do this, you'll need to add the endpoint in the root or anywhere in the appsettings.json as long as it is resolved in the ConfigureAppConfiguration method. One way to achieve this is to write an extension method for the WebApplicationBuilder.

Here's a step-by-step guide to adding the Azure Key Vault endpoint:

After adding the endpoint, you'll need to configure your application to use Key Vault. This involves adding configuration so that Key Vault is used. One way to achieve this is to write an extension method for the WebApplicationBuilder, as mentioned earlier.

To link your Key Vault secret to an Azure Web App, you'll need to follow these steps:

1. Open the Advanced Edit window for your Application Settings.

2. Paste in the following JSON Object inside the square brackets: `{ "keyvault-name": "{keyvault-name}", "secret-name": "{secret-name}", "version-id": "{version-id}" }`.

3. Wait a moment and refresh the screen. You should see a Green tick. If you do not have a Green tick, you need to review your Access Policies.

Similarly, you'll need to link your Key Vault secret to your App Settings. This involves pasting in the following JSON Object inside the square brackets: `{ "keyvault-name": "{keyvault-name}", "secret-name": "{secret-name}", "version-id": "{version-id}" }`.

Here's a comparison of the two JSON Objects:

Domain and DNS is an essential part of Azure App Service Configuration. You can configure your app's DNS settings to use a primary DNS server for outgoing connections.

The primary DNS server for outgoing connections is specified by the WEBSITE_DNS_SERVER setting, which defaults to Azure DNS with an IP address of 168.63.129.16. This setting is used by default if your app uses VNet integration or is in an App Service environment.

If the primary DNS server is unavailable, the app will use a fallback DNS server specified by the WEBSITE_DNS_ALT_SERVER setting. However, this setting is currently empty, indicating that no fallback DNS server has been configured.

You can also enable DNS caching by setting WEBSITE_ENABLE_DNS_CACHE to a value that allows successful DNS resolutions to be cached. By default, expired DNS cache entries will be flushed and the existing cache will be flushed every 4.5 minutes.

Here is a summary of the domain and DNS settings: