| ms.topic | include |
|---|---|
| ms.date | 10/26/2021 |
| ms.reviewer | jordanselig |
| ms.custom | devx-track-azurecli |
| ms.service | azure-app-service |
-
Configure the Foundry Tools secrets as app settings
CS_ACCOUNT_NAMEandCS_ACCOUNT_KEY.# Get subscription key for Cognitive Services resource csKey1=$(az cognitiveservices account keys list --resource-group $groupName --name $csResourceName --query key1 --output tsv) az webapp config appsettings set --resource-group $groupName --name $appName --settings CS_ACCOUNT_NAME="$csResourceName" CS_ACCOUNT_KEY="$csKey1" -
In the browser, navigate to your deploy app at
<app-name>.azurewebsites.netand try out the language detector with strings in various languages.
If you look at the application code, you may notice the debug output for the detection results in the same font color as the background. You can see it by trying to highlight the white space directly below the result.
At the moment, connection secrets are stored as app settings in your App Service app. This approach is already securing connection secrets from your application codebase. However, any contributor who can manage your app can also see the app settings. In this step, you move the connection secrets to a key vault, and lock down access so that only you can manage it and only the App Service app can read it using its managed identity.
-
Create a key vault. Replace <vault-name> with a unique name.
# Save app name as variable for convenience vaultName=<vault-name> az keyvault create --resource-group $groupName --name $vaultName --location $region --sku standard --enable-rbac-authorizationThe
--enable-rbac-authorizationparameter sets Azure role-based access control (RBAC) as the permission model. This setting by default invalidates all access policies permissions. -
Give yourself the Key Vault Secrets Officer RBAC role for the vault.
vaultResourceId=$(az keyvault show --name $vaultName --query id --output tsv) myId=$(az ad signed-in-user show --query id --output tsv) az role assignment create --role "Key Vault Secrets Officer" --assignee-object-id $myId --assignee-principal-type User --scope $vaultResourceId -
Enable the system-assigned managed identity for your app, and give it the Key Vault Secrets User RBAC role for the vault.
az webapp identity assign --resource-group $groupName --name $appName --scope $vaultResourceId --role "Key Vault Secrets User" -
Add the Azure AI services resource name and subscription key as secrets to the vault, and save their IDs as environment variables for the next step.
csResourceKVUri=$(az keyvault secret set --vault-name $vaultName --name csresource --value $csResourceName --query id --output tsv) csKeyKVUri=$(az keyvault secret set --vault-name $vaultName --name cskey --value $csKey1 --query id --output tsv) -
Previously, you set the secrets as app settings
CS_ACCOUNT_NAMEandCS_ACCOUNT_KEYin your app. Now, set them as key vault references instead.az webapp config appsettings set --resource-group $groupName --name $appName --settings CS_ACCOUNT_NAME="@Microsoft.KeyVault(SecretUri=$csResourceKVUri)" CS_ACCOUNT_KEY="@Microsoft.KeyVault(SecretUri=$csKeyKVUri)" -
In the browser, navigate to
<app-name>.azurewebsites.netagain. If you get detection results back, then you're connecting to the Azure AI Services endpoint with key vault references.
Congratulations, your app is now connecting to Foundry Tools using secrets kept in your key vault, without any changes to your application code.
In the preceding steps, you created Azure resources in a resource group. If you don't expect to need these resources in the future, delete the resource group by running the following command in the Cloud Shell:
az group delete --name $groupName
This command may take a minute to run.