Share via

My App Service web app keeps losing access to KeyVault

Lilach Davis 20 Reputation points
2025-02-26T09:25:52.8033333+00:00
  • We have a linux web app running on app service and a key vault in the same subscription.
  • The app is configured with VNet integration.
  • We use KV references as some of the app’s environment variables.
  • Initially the KV was configured with a RBAC permission model, and the App’s managed identity was given a Key Vault Secrets User role for it.
  • Right after its deployment, the App was successfully pulling the secret values from the KV.
  • After about an hour, when checked, the App was no longer able to access the KV, showing an error message:
    AccessToKeyVaultDenied. Key Vault reference was not able to be resolved because site was denied access to Key Vault reference's vault.
  • No changes had been made on either resource between the time the connection was working and when it was lost.
  • We changed the permission model to use Access Policies and added an access policy for the App’s system-assigned managed id, granting it Get and List perms on secrets.
  • Subsequently we hit the ‘Pull reference values’ button on the App’s environment variables tab and the app was able to access the secrets once again.
  • After some time, the same occurred - the app lost access to the KV, showing the same error. Again, there was nobody making changes to either resource.
  • We tried ‘Pull reference values’ again but to no avail.
  • Next, we tried adding a Private Endpoint for the KV in the same VNet with which the app was integrated.
  • Once the PEP was deployed, we hit ‘Pull reference values’ and access was working again, only to stop of its own accord as previously, a little later that day.
  • An identical loss of access issue started affecting a similar system in another of our tenants, which previously was working fine.
  • Other resources (data factory and databricks workspace) with access policies in the same KV are not experiencing any access issues.
Azure App Service
Azure App Service
Azure App Service is a service used to create and deploy scalable, mission-critical web apps.
8,703 questions
Accepted answer
  1. Silvia Wibowo 5,861 Reputation points Microsoft Employee
    2025-03-05T19:15:11.39+00:00

    Hi @Lilach Davis , thank you for your info that your issue has been resolved. Here's the summary of issue and solution.

    Issue:

    • Linux Web App on App Service with vnet integration.
    • Azure Key Vault (KV) in the same subscription, configured with network restrictions.
    • Web App is using KV references as app’s environment variables.
    • KV was configured with a RBAC permission model, and the App’s managed identity was given a Key Vault Secrets User role for it.
    • Right after its deployment, the App was successfully pulling the secret values from the KV.
    • After about an hour, when checked, the App was no longer able to access the KV, showing an error message: AccessToKeyVaultDenied. Key Vault reference was not able to be resolved because site was denied access to Key Vault reference's vault.
    • Same scenario happens (successful pull of secrets then error after an hour) after KV is changed from RBAC to Access Policy.
    • Same scenario happens after Private Endpoint is configured for KV.

    Solution:

    • The issue is now resolved, although we haven't changed anything. Suspect a temporary bug in Azure.

    Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.

    0 comments

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.