Protect key vault references of being resolved with Kudu advanced tools

[MathieuMarchant]

Consider the following scenario:

• As a developer I don't have rights to read the secrets from the key vault
• The App Service does have rights to read secrets from the key vault, since key vault references are used in the configuration.
• As a developer I have "Website Contributor" rights to manage the app

As a developer, my customer doesn't want me to know the value of the secret. That's why I don't have read rights on the key vault and key vault references are used.

However when I go to the "Development Tools - Advanced Tools" of my App Service, I'm able to go to the Kudu tools under "https://*.scm.azurewebsites.net". There under REST API I'm able to select "App Settings" and I can see the resolved key vault references, although my current user doesn't have rights to the key vault.

How can I keep my key vault secrets safe, while still enabling the developers to manage the app service?

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 7feaa3d0-7233-a3cb-cb9b-a9a55b1f0d7a
• Version Independent ID: f41f9d51-52f8-1f45-1043-1344a3b74458
• Content: Key Vault references - Azure App Service
• Content Source: articles/app-service/app-service-key-vault-references.md
• Service: app-service
• GitHub Login: @mattchenderson
• Microsoft Alias: mahender

[BryanTrach-MSFT]

@EagleWizard28 Thanks for the feedback! We are currently investigating and will update you shortly.

[mganeshphani]

I had a similar scenario with databricks and they do a good job of masking these

[Grace-MacJones-MSFT]

Hi @EagleWizard28, Upon further review we feel your feedback would be best received by the doc author to review this request, determine if an update to the current doc is necessary, or to create a new doc

[Grace-MacJones-MSFT]

@mattchenderson can you please provide some insight on this scenario?

[mattchenderson]

Apologies for the delay. Once you are in the Kudu console, you have the ability to access all sorts of information about the process, including memory dumps. The environment variables being on screen is not the issue so much as the ability to use the console to dump env vars. That said, we are exploring some options, because we agree that accidental disclosure is something we want to prevent.

Regardless, I would be conservative in who gets full Contributor access, and if you can take on the code changes, working with Key Vault directly may be preferable to using the Key Vault References feature.

[akki-s]

@mattchenderson Does your comment mean that anyone who have access to Kudu credentials, can view the secrets from Key Vault if the app service in question here has managed identity access to Key Vault? I think this is a security risk, because we may have someone from our support team accessing kudu, but we still do not want them to view secrets. Kudu can not only be accessed by using one's own credentials, but also by using publishing credentials.

[danielmcconville]

Regardless, I would be conservative in who gets full Contributor access, and if you can take on the code changes, working with Key Vault directly may be preferable to using the Key Vault References feature.

@mattchenderson how does this work behind the scenes with a Web App. Is it the Web App virtual container that gets assigned the Managed Identity, or somehow the application itself? If it is the former and the code libraries are simply calling the local URL to get the token to use to retrieve the secret, could we not still use the Web App developer tools to SSH to the box and issue the following:

http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net

to get the token then use that in a request to the Key Vault to get the secret?

If it is the latter (that is great) how does that work? i.e. how is the app itself identified rather than the container it is running in?

If working with the Key Vault directly from the code does not solve the problem it seems that the access controls need updating to include configurable access to the Web App development tools. If you switch access to those off you cannot access the system at a level where you can extract the secrets.

[dirkslab]

Any where we can follow progress on this request? Also noticed secret keys not masked in Kudu.

[unaihuete93]

Any update on this topic?

[ccstorm-nl]

Apparrently this issue still exists as to this date.

We have abandoned the use of app settings for secrets in favor of Arcus.Security. This is a codit.eu initiated open source initiative (Arcus) providing multiple quick start libraries around security, web-api development, logging/monitoring (observability) and others.

https://security.arcus-azure.net/

https://github.com/arcus-azure

If your search brought you here. see if this can help you.

[pschonefeld-sot]

Still an issue.

[cephalin]

Internal item created: https://dev.azure.com/msft-skilling/Content/_workitems/edit/288722

please-close