App Service retrieve secret from Key vault with RBAC using Azure AD group

Question

We are setting up an Azure App Service (Web app) that needs to get some secrets from a Key vault. For this, we have enabled System assigned identity for the web app. The Key vault is using RBAC and we decided to create an Azure AD group to give access. We added a role assignment (Key Vault Secrets Officer) on the Key vault for the Azure AD group.

In the app service, I can go to "Identity" and press on the button for "Azure role assignments". Here I see the role assignment made:

However, if I go to Application settings, it says that it does not have access. I have given it about 3 hours, without success. I have restarted and updated other settings to trigger restart.

If I put myself to this Azure AD group I get access to go and work with secrets.. Any ideas why this is the case? Is this not supported for RBAC yet?

Thanks!

Answer 1

I see you have Azure key vault officer permission to the group .

NOTE:

1. Please note that azure AD Groups with Managed Identities may require up to eight(8) hours to refresh tokens and become effective.
2. The application also needs at least one Identity and Access Management (IAM) role assigned to the key vault or else the access policies to access .

• In case even if you have given a particular user individually , the RBAC permsission, Your app needs the proper access permssions to access keyvault. i.e;the managed identity has been generated but not granted access on key vault yet. So, go to the key vault in Azure portal, which you need to be accessed by the required azure app service.
• You can check in the process of access permissions needed here in create-and-assign-a-managed-identity in Azure web app | Microsoft Docs.

You can give RBAC to that Application /user/service principal or give access policies like below.

1. Under Settings in azure keyvault, select access policies option from left navigation and then click on Add access policy.

2. Here make sure to select atleast two permissions – Get and List – for key permissions, secret permissions and certificate permissions inputs which are least possible permissions to access keyvault by app service app.You can provide the other access permissions if needed.

3. Under Select principal, choose the None selected link to open the Principal selection pane. Enter the name of the user/group, app or service principal in the search field, select the appropriate result, then choose Select. As you are using a managed identity for the app, select the name of the app in the app service itself by selecting add and then saving the changes.

If your vault is configured with network restrictions, you must ensure the application has network access.

Please check this Assign an Azure Key Vault access policy (CLI) | Microsoft Docs for detailas.

• Then try to access after min 8hrs. If still there is access issue, it might be due to proper access policies not defined for that particular security group in step 3.
• Please check the same in the FAQ How can I give the AD group access to the key vault? | Microsoft Docs

References:

1. access-network-restricted-vaults
2. Using Azure RBAC with Azure Key Vault - Joonas W's blog