search

Azure / azure-sdk-for-net

This repository is for active development of the Azure SDK for .NET. For consumers of the SDK we recommend visiting our public developer docs at https://learn.microsoft.com/dotnet/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-net.
MIT License
5.47k stars 4.81k forks source link

[QUERY] How to import certificate from KeyVault when creating/updating an AppService (CreateOrUpdateWebSiteResource)? #46369

Closed trygvelo closed 1 day ago

trygvelo commented 1 month ago

Library name and version

Azure.ResourceManager 1.12.0

Query/Question

I cannot find a working way to import a certificate from KeyVault when creating/updating an AppService (WebSite).

I'm am NOT using the certificate for TLS/SSL host binding. The certificate is used by the application code to authenticate with a database service.

I have tried this:

// First set up WebSiteData (a function app in my case)
var webSiteData = new WebsiteData(...);

new CertificateClient(new Uri(_keyVaultUrl), new DefaultAzureCredential());
KeyVaultCertificateWithPolicy vaultCertificate = await certificateClient.GetCertificateAsync("cert-name");

webSiteData.HostNameSslStates.Add(new HostNameSslState
{
    Name = vaultCertificate.Name,
    ThumbprintString = vaultCertificate.Properties.X509ThumbprintString,
    SslState = HostNameBindingSslState.SniEnabled
});

var webSite = (await resourceGroup.GetWebSites().CreateOrUpdateAsync(
    WaitUntil.Completed,
    "site-name",
    webSiteData
)).Value;

But it doesn't show up in the app service certificates when browsing the portal under "Bring your own certificates (.pfx)".

image

I haven't found any example code except similar to the webSiteData.HostNameSslStates.Add. If I add the certificate through the portal it works perfect, I just need to be able to do the same using Azure.ResourceManager

Environment

No response

github-actions[bot] commented 1 month ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.

trygvelo commented 1 month ago

What I'm trying to do is the same as the Azure CLI command:

az webapp config ssl import --resource-group MyResourceGroup --name MyWebapp --key-vault MyKeyVault --key-vault-certificate-name MyCertificateName

This works fine. But how to perform the same using Azure.ResourceManager in .net code?

melina5656 commented 2 days ago

Hi @trygvelo, to import certificates from keyVault, you can refer to the following code :

//Obtain the secret value of the certificate and convert it into a byte array format PFX certificate
var secretClient = new SecretClient(new Uri(keyVaultUri), new DefaultAzureCredential());
var secret = await secretClient.GetSecretAsync("Your_Vault_Certificate_Name");
var pfxBlob = Convert.FromBase64String(secret.Value.Value);

//Create a AppCertificateResource
var appCertificateCollection = resourceGroup.GetAppCertificates();
var appCertificateName = "certificateName";
var appCertificateData = new AppCertificateData(AzureLocation.EastUS2)
{
     ServerFarmId = appServicePlan.Id,//Used to specify webapp
     PfxBlob = pfxBlob,
};
var appCertificate = (await appCertificateCollection.CreateOrUpdateAsync(WaitUntil.Completed, appCertificateName, appCertificateData)).Value;

SecretClient needs to import Azure.Security.KeyVault.Secrets. Thank you for your feedback.

github-actions[bot] commented 2 days ago

Hi @trygvelo. Thank you for opening this issue and giving us the opportunity to assist. We believe that this has been addressed. If you feel that further discussion is needed, please add a comment with the text "/unresolve" to remove the "issue-addressed" label and continue the conversation.