We decided to use an Azure App Configuration to store configs of backend. App Configuration can use Key Vault as secrets storage. We use connection string to connect from App Service to App Configuration. I configured references from an Azure App Configuration to Key Vault. After that I set access from App Service to Key Vault in order to get value of Key Vault secrets because App Configuration permissions does not allow to do that.
How to set access from App Service to Key Vault references in App Configuration with user managed identity:
- Assign User managed identity to App Services.
- Add User managed identity to Key Vault Access policies with List, Get secrets permissions or set RBAC roles “Key Vault Secrets User” if you use RBAC.
- Add AZURE_CLIENT_ID App Service configuration (environment variable) with Client Id of User managed identity.
How to set access from App Service to Key Vault references in App Configuration with system managed identity:
- Enable System managed identity.
- Add System managed identity to Key Vault Access policies with List, Get secrets permissions or set RBAC roles “Key Vault Secrets User” if you use RBAC.
For local instance of application using of Key Vault references in App Configuration can be a bit challenging. Read how to handle that here https://learn.microsoft.com/en-us/azure/azure-app-configuration/use-key-vault-references-dotnet-core?tabs=core6x#grant-your-app-access-to-key-vault