How do I set 'keyVaultReferenceIdentity' in Azure AppService?

timtong1982 · September 27, 2021, 4:20pm

Use Key Vault references - Azure App Service | Microsoft Docs

mentioned:

userAssignedIdentityResourceId=$(az identity show -g MyResourceGroupName -n MyUserAssignedIdentityName --query id -o tsv)
appResourceId=$(az webapp show -g MyResourceGroupName -n MyAppName --query id -o tsv)
az rest --method PATCH --uri "${appResourceId}?api-version=2021-01-01" --body "{'properties':{'keyVaultReferenceIdentity':'${userAssignedIdentityResourceId}'}}"

but seems like TF Azure provider doesn’t support this.

orjan · September 28, 2021, 9:19pm

I don’t think it’s supported at the moment so I’ve opened this issue a couple of days ago:

github.com/hashicorp/terraform-provider-azurerm

Support for configuration of keyVaultReferenceIdentity in azurerm_app_service

opened 06:47PM - 16 Sep 21 UTC

orjan

### Community Note * Please vote on this issue by adding a 👍 [reaction](https…://blog.github.com/2016-03-10-add-reactions-to-pull-requests-issues-and-comments/) to the original issue to help the community and maintainers prioritize this request * Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request * If you are interested in working on this issue or have submitted a pull request, please leave a comment ### Description > Some apps need to reference secrets at creation time, when a system-assigned identity would not yet be available. In these cases, a user-assigned identity can be created and given access to the vault in advance. > - [Accessing key vault from app service](https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references#access-vaults-with-a-user-assigned-identity) Today there's no way to configure this through terraform making it hard to resolve key vault values needed a startup e.g. `@Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)` so we'll need to resort to a manual configuration similar to the one below. ``` userAssignedIdentityResourceId=$(az identity show -g MyResourceGroupName -n MyUserAssignedIdentityName --query id -o tsv) appResourceId=$(az webapp show -g MyResourceGroupName -n MyAppName --query id -o tsv) az rest --method PATCH --uri "${appResourceId}?api-version=2021-01-01" --body "{'properties':{'keyVaultReferenceIdentity':'${userAssignedIdentityResourceId}'}}" ``` ### New or Affected Resource(s) * azurerm_app_service ### Potential Terraform Configuration I can imaging a configuration api similar to `acr_user_managed_identity_client_id`. It is [possible that we'll need a corresponding property](https://github.com/hashicorp/terraform-provider-azurerm/pull/12745#discussion_r678052703) like `acr_use_managed_identity_credentials` but I'm not sure? ```hcl resource "azurerm_app_service" "example" { site_config { key_vault_user_managed_identity_client_id = "0000-1111-2222" } } ``` ### References  * [Accessing key vault from app service](https://docs.microsoft.com/en-us/azure/app-service/app-service-key-vault-references#access-vaults-with-a-user-assigned-identity) * [app_service#acr_user_managed_identity_client_id](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/app_service#acr_user_managed_identity_client_id)

timtong1982 · October 1, 2021, 3:33am

thanks man, will keep eyes on your thread.

shreyansh.chordia · October 26, 2021, 7:35am

The provision for the same has been added now:

r/azurerm_app_service: Make key_vault_reference_identity_id configurable by patst · Pull Request #13720 · hashicorp/terraform-provider-azurerm · GitHub

Topic		Replies	Views
Getting system assigned managed identity id from app_service datasource Azure	1	4529	February 6, 2020
Unable to get SystemAssigned identity attributes Azure	1	1113	August 28, 2020
Azure - AppService + KeyVault gives circular dependency Azure	1	697	July 24, 2020
Azure App Service/Azure Container Registry Identity Azure	0	418	February 25, 2022
Azure AppService KeyVault Seal MSI Vault	0	632	September 28, 2022

How do I set 'keyVaultReferenceIdentity' in Azure AppService?

Related topics