0

I am currently working on a few services that uses keyvault, authenticating with ClientCertificateCredential / Registered Apps. These are running on-premise.

Looking into using Azure App Configuration in a similar way, combined with keyvault. So a couple of questions arises:

  1. Can i authorize against App Configuration the same way as with KeyVault, using ClientCertificateCredential ? If yes, how ?

  2. If not, another option is to use a connection string against App Config. However, this is a secret, and should be stored in keyvault (absolutely not in appsettings.json). That means I have to access keyvault before setting up App Config. Is there a clean way to do this ?

Or, perhaps there is something else I should consider.

Oyvind
  • 568
  • 2
  • 6
  • 22

1 Answers1

-1

• Yes, you can surely authorize against App configuration as you do against key vault to retrieve client secrets, connection strings and other sensitive information with the help of managed identities. Managed identities create a service principal for the said application when enabled depending on the user to be assigned to that application or directly to the application itself as a system assigned managed identity that is created for the lifetime of that application.

By leveraging managed identity, it eliminates the need for an access token that contains secrets. Your code can access the App Configuration store using only the service endpoint. You can embed this URL in your code directly without exposing any secret.

• For more information on configuring managed identity to access the application configuration without exposing or leveraging any type of access token, please refer to the documentation link below for more details: -

https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity?tabs=core5x

Kartik Bhiwapurkar
  • 4,550
  • 2
  • 4
  • 9
  • I'm aware of the managed identity approach, but that looks kinda tied to App Services, which we're not using. I was hoping for an equivalent approach as we do with KeyVault (using Registered App / certificates). – Oyvind Feb 24 '22 at 13:52
  • Want to know actually the better explanation of what you are looking for. Can you please elaborately explain what does keyvault approach means?? – Kartik Bhiwapurkar Mar 01 '22 at 19:53
  • Did a slight edit. We're running on-premise, and the services authenticates as Registered Apps using client certificates. Was hoping to access App Configuration the same way. – Oyvind Mar 02 '22 at 09:29
  • In current given feature set of app configuration in Azure, it doesn't support certificate authentication to access the app configuration. But you surely can use the access keys for authentication by storing them in key vault and then calling them, also you can use the Azure AD method of authentication to make your App configuration access to make more secure. – Kartik Bhiwapurkar Mar 02 '22 at 12:55
  • Yep, I'm currently fetching the connectionstring using SecretClient during startup. Will take a look at the second option. – Oyvind Mar 07 '22 at 08:54