Resolving Azure Key Vault References in Logic App App Settings Using a User Assigned Managed Identity

A popular feature in Azure Logic Apps is using Key Vault references as app settings. This allows you to securely manage secrets (such as connection strings or API keys) and use them as app settings in Azure Logic Apps without having to provide the plaintext value.

By default, when you use Key Vault references in app settings, your Logic App will use the system-assigned managed identity to resolve the secrets from Azure Key Vault. Many prefer to use a user-assigned managed identity since it is reusable across multiple resources, and their lifecycle is decouples from the resources’ lifecycle.

This post walks through how to use a user-assigned managed identity (UAMI) to resolve Key Vault references in application settings of an Azure Logic App Standard.

Step-by-Step Guide

1. Create a Key Vault with RBAC access configuration

Note the ID in the output, this will be used as the scope for the role assignment, and updating the Logic App’s keyVaultReferenceIdentity property.

az keyvault create \
  --name "yourKeyVaultName" \
  --resource-group "yourResourceGroupName" \
  --enable-rbac-authorization "true"

2. Create a Secret

You will need to have an RBAC role assignment such as Key Vault Secrets Officer to create the secret.

az keyvault secret set \
  --name "yourSecretName" \
  --vault-name "yourKeyVaultName" \
  --vaule "yourSecretValue"

3. Create a User-Assigned Managed Identity

Note the principal ID in the output, this will be used as the object ID in the role assignment.

az identity create \
  --name "yourUAMIName" \
  --resource-group "yourResourceGroupName"

4. Authorize read access to secrets in your Key Vault

In my example, I am assigning the Key Vault Secrets User role, but assign whichever role suits your requirements.

az role assignment create \
  --assignee-object-id "principalIdFromPreviousCommand" \
  --assignee-principal-type "ServicePrincipal" \
  --role "Key Vault Secrets User" \
  --scope "yourKeyVaultResourceUri"

5. Link the User-Assigned Managed Identity to your Logic App

az functionapp identity assign \
  --name "yourLogicAppName"
  --resource-group "yourResourceGroupName" \
  --identities "yourUAMIResourceUri"

6. Update the Logic App to use the User-Assigned Managed Identity

You can check the current value by navigating to the Overview blade on your Logic App, selecting JSON View, and searching for keyVaultReferenceIdentity. By default, it will use the Logic App’s system-assigned managed identity.

az functionapp update \
  --name "yourLogicAppName" \
  --resource-group "yourResourceGroupName" \
  --set "keyVaultReferenceIdentity=yourUAMIResourceUri"

After running the command, you should see the ID for your user-assigned managed identity as the keyVaultReferenceIdentity.

7. Add a Key Vault Reference App Setting

In order to create a Key Vault reference in the app settings, you need to use one of the following syntaxes:

1. @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret)
2. @Microsoft.KeyVault(VaultName=myvault;SecretName=mysecret)

If all is set up correctly, you should see a green checkmark next to the setting.