DISCLAIMER: This post is purely a personal opinion, not representing or affiliating my employer's.
While using Azure Logic Apps, one of challenges is
how to manage secret values, and most of time this can be handled by passing them through the ARM template parameters. The ideal(?) approach might be through an API connector to Azure Key Vault so that we don't need to worry about passing those secrets. Logic Apps has many API connectors to access Azure resources, but Azure Key Vault connector doesn't exist at this time of writing, unfortunately. Actually there is a request for this feature on UserVoice and many users support it, though.
But actually, we can make this happen through a few steps, using Managed Identity and an HTTP action. In this post, I'll walk through how we can make use of Key Vault connection with Managed Identity from Logic Apps.
Logic App Key Vault Connector vs Key Vault REST API
As mentioned earlier, Logic Apps doesn't provide the API connector to Key Vault. Fortunately instead, we can access to Key Vault through REST API, PowerShell and Azure CLI. In this post, we're using the REST API.
Logic App Instance
Let's create a Logic App instance with the name of
mylogicapp201810. Once created, open the
Workflow Settings blade and enable the
Managed Service Identity option.
That's it from the Logic App configuration. Easy, huh?
Key Vault Instance
Let's create a Key Vault instance this time. Once created, we need to give direct access to the Logic App instance. Open the
Access Policies blade and register the Logic App instance. In this example, as the name of the Logic App instance is
mylogicapp201810, we can easily find it. We don't have to give all permissions to the Logic App, but
List permissions on
Secret would be sufficient.
Now, create a secret called
world for its secret value by following this page.
HTTP Action in Logic Apps
As we discussed above, we're using the REST API. Therefore, the HTTP action is the right choice here. Add the action and give it a URL of
https://<mykeyvault>.vault.azure.net/secrets. In this post, I use
mykeyvault201810. We also need to provide the API version through the querystring. Use
api-version=2016-10-01 as a part of the URL or part of the
And this is the important part. Select
Managed Service Identity at the
Authentication field and give the
Audience URL of
NOTE: If you enter the audience URL with a trailing slash like
https://vault.azure.net/, it will return either
400 Bad Requesterror or
All settings are done! We've created a Logic App instance, activated Managed Identity, created a Key Vault instance, registered the Logic App instance, and written the Logic App workflow. When we run this Logic App, we can get the list of secrets like:
If we provide the secret name, it will return the actual secret value, too. Now, we can use Key Vault directly from the Logic App. Until the Key Vault connector is ready, we can utilise this approach.
However, we still need to consider a few things:
- As you can see above, Logic App Run History contains the secret value. We can't hide it at this stage. Therefore, we need to setup access permissions to Logic Apps very carefully; otherwise we might be in trouble.
- As the official documentation says, we can only register up to ten Logic Apps in one subscription to Azure AD. Therefore, instead of letting every Logic App enable Managed Identity feature, it is recommended to create a separate Logic App instance as a sub-workflow, which purely works as a Key Vault connection and other Logic App instance should call the sub-workflow.
So far, we've walked through how to access Key Vault secret from the Logic App instance by enabling Managed Identity. I used Azure Portal for all this works for a demo-ing purpose, but usually DevOps scenarios don't do this way. If you want to use it through ARM template, this repository, https://github.com/devkimchi/Key-Vault-from-Logic-Apps might help.