| title | description | author | ms.author | ms.service | ms.custom | ms.topic | ms.date |
|---|---|---|---|---|---|---|---|
Tutorial - Create a service connection and store secrets into Key Vault |
Tutorial showing how to create a service connection and store secrets into Key Vault |
maud-lv |
malev |
service-connector |
event-tier1-build-2022 |
tutorial |
05/23/2022 |
Azure Key Vault is a cloud service that provides a secure store for secrets. You can securely store keys, passwords, certificates, and other secrets. When you create a service connection, you can securely store access keys and secrets into connected Key Vault. In this tutorial, you'll complete the following tasks using the Azure portal. Both methods are explained in the following procedures.
[!div class="checklist"]
- Create a service connection to Azure Key Vault in Azure App Service
- Create a service connection to Azure Blob Storage and store secrets in Key Vault
- View secrets in Key Vault
To create a service connection and store secrets in Key Vault with Service Connector, you need:
- Basic knowledge of using Service Connector
- An Azure account with an active subscription. Create an account for free.
- An app hosted on App Service. If you don't have one yet, create and deploy an app to App Service
- An Azure Key Vault. If you don't have one, create an Azure Key Vault
- Another target service instance supported by Service Connector. In this tutorial, you'll use Azure Blob Storage
- Read and write access to the App Service, Key Vault and the target service.
To store your connection access keys and secrets into a key vault, start by connecting your App Service to a key vault.
-
Select the All resources button on the left of the Azure portal. Type App Service in the filter and select the name of the App Service you want to use from the list.
-
Select Service Connector from the left table of contents. Then select Create.
-
Select or enter the following settings.
Setting Suggested value Description Service type Key Vault Target service type. If you don't have a Key Vault, you need to create one. Subscription One of your subscriptions. The subscription in which your target service is deployed. The target service is the service you want to connect to. The default value is the subscription listed for the App Service. Connection name Generated unique name The connection name that identifies the connection between your App Service and target service Key vault name Your Key vault name The target Key Vault you want to connect to. Client type The same app stack on this App Service Your application stack that works with the target service you selected. The default value comes from the App Service runtime stack. -
Select Next: Authentication to select the authentication type. Then select System assigned managed identity to connect your Key Vault.
-
Select Next: Network to select the network configuration. Then select Enable firewall settings to update the firewall allowlist in Key Vault so that your App Service can reach the Key Vault.
-
Then select Next: Review + Create to review the provided information. Select Create to create the service connection. It can take one minute to complete the operation.
Now you can create a service connection to another target service and directly store access keys into a connected Key Vault when using a connection string/access key or a Service Principal for authentication. We'll use Blob Storage as an example below. Follow the same process for other target services.
-
Select the All resources button on the left of the Azure portal. Type App Service in the filter and select the name of the App Service you want to use from the list.
-
Select Service Connector from the left table of contents. Then select Create.
-
Select or enter the following settings.
Setting Suggested value Description Service type Blob Storage Target service type. If you don't have a Storage Blob container, you can create one or use another service type. Subscription One of your subscriptions The subscription in which your target service is deployed. The target service is the service you want to connect to. The default value is the subscription listed for the App Service. Connection name Generated unique name The connection name that identifies the connection between your App Service and target service. Storage account Your storage account The target storage account you want to connect to. If you choose a different service type, select the corresponding target service instance. Client type The same app stack on this App Service Your application stack that works with the target service you selected. The default value comes from the App Service runtime stack. -
Select Next: Authentication to select the authentication type. Then select Connection string to use an access key to connect your Blob storage account.
Setting Suggested value Description Store Secret to Key Vault Check This option lets Service Connector store the connection string/access key into your Key Vault. Key Vault connection One of your Key Vault connections Select the Key Vault in which you want to store your connection string/access key. -
Select Next: Network to select the network configuration. Then select Enable firewall settings to update firewall allowlist in Key Vault so that your App Service can reach the Key Vault.
-
Then select Next: Review + Create to review the provided information. Then select Create to create the service connection. It might take one minute to complete the operation.
-
Select the All resources button on the left of the Azure portal. Type App Service in the filter and select the name of the App Service you want to use from the list.
-
Select Service Connector from the left table of contents. Then select Create.
-
Select or enter the following settings.
Setting Suggested value Description Service type Blob Storage Target service type. If you don't have a Storage Blob container, you can create one or use another service type. Subscription One of your subscriptions The subscription in which your target service is deployed. The target service is the service you want to connect to. The default value is the subscription listed for the App Service. Connection name Generated unique name The connection name that identifies the connection between your App Service and target service. Storage account Your storage account The target storage account you want to connect to. If you choose a different service type, select the corresponding target service instance. Client type The same app stack for this App Service Your application stack that works with the target service you selected. The default value comes from the App Service runtime stack. -
Select Next: Authentication to select the authentication type and select Service Principal to use Service Principal to connect your Blob storage account.
Setting Suggested value Description Service Principal object ID or name Choose the Service Principal you want to use to connect to Blob Storage from the list The Service Principal in your subscription that is used to connect to target service. Store Secret to Key Vault Check This option lets Service Connector store the service principal ID and secret into Key Vault. Key Vault connection One of your key vault connections Select the Key Vault in which you want to store your service principal ID and secret. -
Select Next: Network to select the network configuration. Then select Enable firewall settings to update firewall allowlist in Key Vault so that your App Service can reach the Key Vault.
-
Then select Next: Review + Create to review the provided information. Then select Create to create the service connection. It might take one minute to complete the operation.
-
Expand the Blob Storage connection, select Hidden value. Click to show value. You can see that the value is a Key Vault reference.
-
Select the Key Vault in the Service Type column of your Key Vault connection. You will be redirected to the Key Vault portal page.
-
Select Secrets in the Key Vault left ToC, and select the blob storage secret name.
Tip
Don't have permission to list secrets? Refer to troubleshooting.
-
Select a version ID from the Current Version list.
-
Select Show Secret Value button and you'll see the actual connection string of this blob storage connection.
When no longer needed, delete the resource group and all related resources created for this tutorial. To do so, select a resource group or the individual resources you created and select Delete.
[!div class="nextstepaction"] Service Connector internals