Azure app configuration with no secrets using Azure managed identity

Some applications have secrets. Sometimes secrets lie in the app settings. If these gets in the hands of someone evil, it could have dire consequences. We don't want to deal with these app settings at all! That's where TokenCredentials and managed identity comes in!

Connecting to the app configuration

When using feature flags, connecting app configuration with a connection string usually looks something like this.

config.AddAzureAppConfiguration(options =>
{
    options.Connect(settings["ConnectionStrings:AppConfig"]).UseFeatureFlags();
});

The .Connect method has an overload for a Uri and a TokenCredential. A TokenCredential allows us to use a number of different authentication options. In our case, the ManagedIdentityCredential in production and AzureCliCredential locally. You can also use DefaultAzureCredential to go through a chain of authentication methods.

Provides a default TokenCredential authentication flow for applications that will be deployed to Azure. The following credential types if enabled will be tried, in order:

  • EnvironmentCredential
  • ManagedIdentityCredential
  • SharedTokenCacheCredential
  • VisualStudioCredential
  • VisualStudioCodeCredential
  • AzureCliCredential
  • InteractiveBrowserCredential

It's also possible to create a ChainedTokenCredential with multiple token credentials.

The Uri for an app configuration usually looks like this: https://appname.azconfig.io.

Let's add it all together.

config.AddAzureAppConfiguration(options =>
{
    options.Connect(new Uri("https://my-app-config.azconfig.io"), new DefaultAzureCredential()).UseFeatureFlags();
});

Setting up permissions

Our environment is an Azure Kubernetes Cluster. One way to communicate with Azure resources outside of the cluster is with Azure Active Directory Pod Identity. This allows us to use Managed Identity to authorize against Azure Resources.

To use app configuration with Managed Identity, one needs to create the managed identity resource in Azure. We can do it with the az cli!

az identity create -n my-app-identity -g my-app-identity-rg 

The next step is to create the role assignment for the managed identity. We're going to use a user-assigned role. According to the Azure app configuration docs, we need to assign an "App Configuration Data Reader" or "App Configuration Data Owner" role.

az role assignment create --role App Configuration Data Reader --scope /subscriptions/myguid/resourceGroups/my-app-rg/providers/Microsoft.AppConfiguration/configurationStores/my-app --assignee-object-id guidForManagedIdentity --assignee-principal-type ServicePrincipal 

Make sure to add the same role to your Azure user to make local development possible.

That's how you avoid secrets with TokenCredentials!