How to use Service Principal/Managed Identity to access Azure App Configuration?

Question

I need to disable Local Authentication Methods (Access Keys) for Azure App Configuration Stores. Currently for an ASP.NET Framework application, I am using the following for accessing the App Configuration Store from my application:

<configSections>
    <section name="configBuilders" type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="false" requirePermission="false" />
</configSections>

<configBuilders>
    <builders>
        <add name="MyConfigStore" mode="Greedy" connectionString="${ConnectionString}" type="Microsoft.Configuration.ConfigurationBuilders.AzureAppConfigurationBuilder, Microsoft.Configuration.ConfigurationBuilders.AzureAppConfiguration" />
        <add name="Environment" mode="Greedy" type="Microsoft.Configuration.ConfigurationBuilders.EnvironmentConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Environment" />
    </builders>
</configBuilders>

Here the value of ${ConnectionString} = "Endpoint=https://<app_config>.azconfig.io;Id=<Id>;Secret=<Access Key>"

Now in order to access the App Configuration through the ASP.NET application, I created a Service Principal, generated a secret to use.

I have stored the CLIENT_ID , TENANT_ID and CLIENT_SECRET values. I have also assigned the App Configuration Data Reader role to the Service Principal.

I also have a managed identity which I can use.

Now what change do I need to make at the application side in order to access the App Configuration through the ASP.NET application?

Answer 1

Check the below Workaround to access the App Configuration in the .NET Framework Application.

In Azure Portal => App Configuration => Configuration explorer , create new Key-value .

• Install the below NuGet Packages

Microsoft.Configuration.ConfigurationBuilders.AzureAppConfiguratio - Version 1.0.0
Microsoft.Configuration.ConfigurationBuilders.Environment - Version 2.0.0
System.Configuration.ConfigurationManager - Version 7.0.0

Configuration Section from my Web.config file:

<configSections>
    <section name="configBuilders" type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="false" requirePermission="false" />
  </configSections>

  <configBuilders>
    <builders>
      <add name="AzureAppConfig" mode="Greedy" connectionString="Endpoint=https://AppConfigName.azconfig.io;Id=XqdS-l2-s0:****/;Secret=****" type="Microsoft.Configuration.ConfigurationBuilders.AzureAppConfigurationBuilder, Microsoft.Configuration.ConfigurationBuilders.AzureAppConfiguration" />
      <add name="Environment" mode="Greedy" type="Microsoft.Configuration.ConfigurationBuilders.EnvironmentConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Environment" />
    </builders>
  </configBuilders>

  <appSettings configBuilders="Environment,AzureAppConfig">
    <add key="AppName" value=".NET Framework Sample" />
  </appSettings>

Reading Config Value:

In Controller,

   public ActionResult Index()
        {
            string FromAppConfig = System.Configuration.ConfigurationManager.AppSettings["TestApp:Settings:Message"];
            string FromWebConfig = System.Configuration.ConfigurationManager.AppSettings["AppName"];
            ViewBag.FromAppConfig = FromAppConfig;
            ViewBag.FromWebConfig = FromWebConfig;
            return View();
        }

In View.cshtml:

@{
    ViewBag.Title = "Home Page";
}

<div>
    <h2>  Value from App Configuration - @ViewBag.FromAppConfig</h2>
    <h2>  Value from Web.Config File - @ViewBag.FromWebConfig</h2>
</div>

OutPut:

References taken from MSDoc

Answer 2

You should use the endpoint instead of the connectionString parameter when you config your builders. This will tell the system to use the DefaultAzureCredential to connect to Azure App Configuration.

I would also put the "Environment" builder before the "AzureAppConfig" builder, so environment variables are available to the AppConfig builder during loading. It looks something like this:

  <configBuilders>
    <builders>
      <add name="Environment" mode="Greedy" type="Microsoft.Configuration.ConfigurationBuilders.EnvironmentConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Environment" />
      <add name="AzureAppConfig" mode="Greedy" endpoint="https://<AppConfigName>.azconfig.io" type="Microsoft.Configuration.ConfigurationBuilders.AzureAppConfigurationBuilder, Microsoft.Configuration.ConfigurationBuilders.AzureAppConfiguration" />
    </builders>
  </configBuilders>

Given you want to use the service principal, you should make CLIENT_ID , TENANT_ID and CLIENT_SECRET available as environment variables, so the DefaultAzureCredential will pick them up automatically.

You should NEVER put any secrets in the web.config file. You can find more information about the App Configuration builder library from the link below.

https://github.com/as.net/MicrosoftConfigurationBuilders/blob/main/docs/KeyValueConfigBuilders.md#azureappconfigurationbuilder