WebApps calling KeyVault for secrets

%3CLINGO-SUB%20id%3D%22lingo-sub-1538432%22%20slang%3D%22en-US%22%3EWebApps%20calling%20KeyVault%20for%20secrets%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1538432%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20a%20web%20app%20that%20needs%20to%20look%20up%20key%2Fvalues%20in%20the%20key%20vault.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20have%20assigned%20identity%20to%20the%20web%20app%20and%20set%20permissions%20on%20KeyVault%2C%20but%20do%20I%20still%20need%20to%20enable%20access%20on%20the%20key%20vault%20firewall%20for%20the%20outbound%20IP%20of%20the%20WebApp%3F%20Hard%20to%20manged%20if%20the%20WebApp%20is%20stopped%20as%20the%20IP%20will%20change%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20better%20way%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1538432%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EApp%20Services%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EAzure%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EKeyVault%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1743611%22%20slang%3D%22en-US%22%3ERe%3A%20WebApps%20calling%20KeyVault%20for%20secrets%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1743611%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F706887%22%20target%3D%22_blank%22%3E%40JacksWastedLife%3C%2FA%3E%26nbsp%3Byou%20need%20not%20to%20do%20anything%20with%20the%20IP%20address.%20Your%20current%20setup%20should%20be%20able%20to%20pull%20the%20key%2Fsecrets%20from%20the%20AKV.%3C%2FP%3E%3CP%3EAre%20you%20using%20any%20vNET%20%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi, 

 

I have a web app that needs to look up key/values in the key vault. 

I have assigned identity to the web app and set permissions on KeyVault, but do I still need to enable access on the key vault firewall for the outbound IP of the WebApp? Hard to manged if the WebApp is stopped as the IP will change? 

 

Is there a better way?

1 Reply

@JacksWastedLife you need not to do anything with the IP address. Your current setup should be able to pull the key/secrets from the AKV.

Are you using any vNET ?