We welcome user feedback and feature requests!

← Web Apps

Allow App Service to Access Secret without version

Currently an App Service can access Secrets App Service Identity - but the secret version must be part of this configuration.

What would be helpful is to allow the App Service to get the latest version of the secret - that way a value can be centrally changed - without having to update the App Service configuration (to use the new version of the secret).

This will allow management of the data in the Key Vault - without requiring updates to the App Service to get the new value.

405 votes
Vote
Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
You have left! (?) (thinking…)
Greg Bryniarski shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

10 comments

Sign in
(thinking…)
Sign in with: Microsoft
Forgot password?
Create a password
Signed in as (Sign out)
Close
Close
Submitting...
An error occurred while saving the comment
  • PaulE commented  ·   ·  Flag as inappropriate

    At the very least, a quick and easy way to track down all of the App Services using the Vault would be helpful so we can manually update them when an Access Secret is updated. App Registrations have had a similar issue for several years, but it wasn't really possible to track down which apps were using the expiring(ed) secrets. Since the App Services are contained within Azure the same as Key Vault, it should be rather straightforward to update the App Service whenever the Key Vault Access Secret is updated. Or, at least notify the user of which App Services should be considered for update. A value in the Key Vault reference for the secretVersion of something like "latestSecret" would certainly give us all a leg up on managing App Services using Key Vault.

  • Timo Rahm commented  ·   ·  Flag as inappropriate

    In current preview version of Key Vault references for Application Settings it's possible to refer to latest version of a Key Vault Secret value without explicit version number like this: "@Microsoft.KeyVault(SecretUri=https://xyz.vault.azure.net/secrets/xyzConnectionString/)". This is logical and we like it.

    You have chosen to disable this feature in GA, enforcing customers to always use specific secret version identifier at the end of the uri. Please don't do that. At the very least, please move this to a new version of the Key Vault api so that going GA won't break existing deployments.

    When rotating secrets we have to create a new version of the secret value in Azure Portal, make note of the Version identifier and then go through all our ARM template parameter files of all tiers of deployment and paste the new identifier in. If the app code is not in deployable state at that point, we have to manually go through each running app's settings, update the Key Vault references and restart the apps to clear the caches.

    This is a time-consuming, error-prone manual process and causes serious gaps in service availability. It makes Key Vault practically unusable in such scenarios.

    Other (imho less feasible) option to fix this is to enable editing of a specific version of Key Vault secret value, so the version identifier of the secret value can stay unchanged.

  • Andy Welch commented  ·   ·  Flag as inappropriate

    KeyVault references in App Settings is a welcome improvement in KeyVault integration.
    One lingering aspect to improve, I think, is to allow us to expect the latest secret version - such that we can specify the secret name and can forget about versioning if we wish. Clearly versioning also supports a stricter process.

  • Anonymous commented  ·   ·  Flag as inappropriate

    is there anything we can do to help get this scheduled quickly? i do not want to write all of the tech debt code for each of the update scenarios that having this fixed would prevent me from having to write...

Web Apps

Categories

Feedback and Knowledge Base

(thinking…)
Hosted by UserVoice