Accessing Azure Key Vault From A Logic App Using A Managed Identity

Azure key vault can be accessed as a user or an app principle but the best way is to access is using a Managed Identity, which does not require maintaining keys and passwords, we can create this connection using a Managed Identity and with an HTTP action.

So will walk through how we can make use of a simple key vault connection with managed identity from Logic Apps.

Step 1

Create a Logic App instance with the name you desire so in here I’ll create as mylogicapp202, And I will be creating this logic app in a new resource group named MITest_RG and in the East US2 region.

Step 2

Once the Logic app is created, open the Identity blade and enable the Managed Identity.

This is in default enabled when creating the Logic app and copy the Object (principal) ID.

That’s all from the logic app configuration side.

Step 3

Now let’s create a Key Vault instance named mykv202.

Once created, we need to give direct access to the Logic App instance.

Open the Access policies blade and click the + Add Access Policy, this is to register the Logic App instance.

Click the Select principle and in this scenario, (we can easily find the Logic App we created using Object (principal) ID that we copied.)

Select it, and from the permissions, we don’t have to give all the permissions to the logic app, but Get & List permission on Secret permissions would be sufficient.

Click the Add to save the configurations.

Step 4

Now will create one sample secret for testing, go to Secrets blade from the Key Vault, and click the Generate/Import.

Add a Name and a Value to your secret. And click the Create to add the secret.

Step 5

Now let’s will create the HTTP action from the Logic app, here we are using REST API. Therefore the right action is using HTTP action.

Go to Logic apps we created, and select the Workflows blade.

Click the + Add and create Workflow. And for high reliability will select Stateful.

Click Create to save the values.

Step 6

Now go to Workflow and select Designer, from Search connectors and triggers search for HTTP. And select HTTP.

Use the method as GET URL as your Secret Identifier which can be found from your secret version.

From the Add new parameter list, add the Authentication property if the property doesn't already appear.

Since here we want to authenticate access to a Key Vault resource in the global Azure cloud, we must set the Audience property to exactly the following resource ID: use api-version=2019-09-01 For latest api versions as a part of the URL or part of the Queries field.

Now save it.

All settings are done! We've created a Logic App instance, activated Managed Identity, created a Key Vault instance, registered the Logic App instance, and written the Logic App workflow. When we run this Logic App, we can get a list of secrets like:

If we provide the secret name, it will return the actual secret value, too. Now, we can use Key Vault directly from the Logic App.