access azure key vault from azure web app where ip changes often bc of CI/CD

Question

I have a docker container that accesses azure key vault. this works when I run it locally.

I set up an azure web app to host my container, and it cannot access the key vault

  Forbidden (HTTP 403). Failed to complete operation. Message:
Client address is not authorized and caller is not a trusted service.
Client address: 51.142.174.224 Caller:

I followed the suggestion from https://www.youtube.com/watch?v=QIXbyInGXd8 and I went to the web app in the portal to set status to on

Created an access policy

and then receive the same error with a different ip

  Forbidden (HTTP 403). Failed to complete operation. Message:
Client address is not authorized and caller is not a trusted service.
Client address: 4.234.201.129 Caller:

My web app ip address would change every time an update were made, so are there any suggestions how to overcome this?

score 0 · Answer 1 · answered Feb 01 '23 at 20:35

It might depend on your exact use case and what you want to achieve with your tests, but you could consider using a test double instead of the real Azure Key Vault while running your app locally or on CI.

If you are interested please feel free to check out Lowkey Vault.

score 0 · Answer 2 · answered Feb 02 '23 at 10:43

0

I found solution by setting up a virtual network,

and then whitelisting it in the keyvault access rights

answered Feb 02 '23 at 10:43

frank

3,036
7
33
65

access azure key vault from azure web app where ip changes often bc of CI/CD

2 Answers2