Simplifying Secrets Management in Strapi on Azure App Service

We’re excited to announce a major enhancement to the deployment experience for Strapi on Azure App Service. Building on the foundation laid out in our  overview, quick start, and FAQ , this update introduces automated and secure secrets management using Azure Key Vault.

What’s New?

The updated ARM template now provisions an Azure Key Vault instance alongside your Strapi application. This integration enables secure storage of sensitive credentials such as database passwords and Strapi-specific secrets. Here’s what makes this enhancement powerful:

• Secure by Default: Public access to the Key Vault is disabled out of the box. Instead, private endpoints are configured to ensure secure communication within your virtual network.
• Auto-Generated Secrets: Strapi secrets are now automatically generated as secure random keys during deployment. These are injected directly into Key Vault and referenced by the app, removing the need for manual secret setup.
• Managed Identity integration: The app’s managed identity is automatically granted access to the secrets it needs, eliminating manual configuration steps.
• Production Flexibility: While auto-generated secrets simplify initial deployment, you can still update them for production use. [Refer to our documentation on updating secrets securely].

Why It Matters

This enhancement builds on the robust foundation of Strapi on Azure App Service, which already includes integration with services like Azure Database for MySQL/PostgreSQL, Blob Storage, Managed Identity, and Virtual Network.

By automating secrets management, we reduce friction for developers and improve security posture for production workloads.

This enhancement simplifies the deployment process while strengthening security. Whether you're building editorial platforms, e-commerce backends, or corporate websites, this update ensures your Strapi app is production-ready from day one.

Automated Secrets Generation

Strapi secrets are now auto-generated during deployment and securely stored in Azure Key Vault. These include:

• App Keys: A comma-separated list of secret keys used to sign session cookies via Strapi’s session middleware.
• JWT Secret: Used to sign JWTs for the Users-Permissions plugin.
• Admin JWT Secret: Used to sign JWTs for the Strapi Admin panel.
• API Token Salt: Salt for generating API tokens. Required for authenticated API features.
• Transfer Token Salt: Salt for generating transfer tokens used in data migration between Strapi instances.

Get Started

To try out the new template, head over to the Strapi on App Service Quick Start Guide. 

Related content

• Strapi on App Service - Overview
• How to deploy Strapi on App Service: Quick start guide
• Hosting Strapi on App Service - FAQ

Support and Feedback

The Strapi deployment templates shared in this blog post are not a managed solution. Strapi is a third-party software platform, and Microsoft Customer Support and Services (CSS) will not support the Strapi related issues. Microsoft only provides support for the underlying Azure infrastructure and the services used in the solution. If you need any assistance, feel free to open a support request through the Microsoft Azure portal. New support request - Microsoft Azure

We value your feedback and suggestions to help us enhance our solution. Please feel free to share your thoughts or start a conversation by emailing us at strapionappservice@microsoft.com.