skip to Main Content

Here is the module I am currently using:

// Parameters for the module
param appName string // Name of the existing Web App
param storageAccountName string // Name of the existing Storage Account

// Non-editable variables
var shareName = 'shared'
var mountPath = '/mounts/shared'

// Reference to the existing Web App
resource webApp 'Microsoft.Web/sites@2023-12-01' existing = {
name: appName
}

// Reference to the existing storage account
resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' existing = {
  name: storageAccountName
}

resource storageSetting 'Microsoft.Web/sites/config@2021-01-15' = {
  name: 'azurestorageaccounts'
  parent: webApp
  properties: {
    '${shareName}': {
      type: 'AzureFiles'
      shareName: shareName
      mountPath: mountPath
      accountName: storageAccount.name
      accessKey: storageAccount.listKeys().keys[0].value
    }
  }
}

However, I’d like to use key vault reference like how it can be manually done in the Azure portal.

Is this possible?

2

Answers


  1. Mounting Azure File Share on Web App via Key Vault Reference using Bicep

    To achieve this requirement, you need to store the storage account as secret and grant necessary permission for the webapp to access the keyvault and make sure to use of @Microsoft.KeyVault

    Deployment:

    param appName string = 'testvksb' 
    param storageAccountName string = 'tesstvaksbbsamp' 
    param keyVaultName string = 'testkeyavuktsva' 
    param secretName string = 'testsecret' 
    
    
    var shareName = 'shared'
    var mountPath = '/mounts/shared'
    
    
    resource webApp 'Microsoft.Web/sites@2023-12-01' existing = {
      name: appName
    }
    
    
    resource storageAccount 'Microsoft.Storage/storageAccounts@2019-06-01' existing = {
      name: storageAccountName
    }
    
    
    resource keyVault 'Microsoft.KeyVault/vaults@2021-06-01' existing = {
      name: keyVaultName
    }
    
    
    resource storageSetting 'Microsoft.Web/sites/config@2021-01-15' = {
      name: 'azurestorageaccounts'
      parent: webApp
      properties: {
        '${shareName}': {
          type: 'AzureFiles'
          shareName: shareName
          mountPath: mountPath
          accountName: storageAccount.name
          accessKey: '[@Microsoft.KeyVault(VaultName=${keyVaultName};SecretName=${secretName})]'
        }
      }
    }
    

    Deployment:

    enter image description here

    enter image description here

    refer:

    https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli

    https://learn.microsoft.com/en-us/azure/app-service/configure-connect-to-azure-storage?tabs=basic%2Cportal&pivots=container-linux

    Login or Signup to reply.
  2. Assuming that the connection string is already stored in key vault and that your app service has secret read permission over the key vault.

    1. You need a new app setting (key vault reference) pointing to the connectionstring your key vault.
    resource webApp 'Microsoft.Web/sites@2023-12-01' = {
      name: appName
      ...
      properties: {
        ...
        siteConfig: {
           appSettings: [
              {
                name: 'StorageconnectionString'
                value: '@Microsoft.KeyVault(VaultName=<key vault name>;SecretName=<name of the connectionstring secret>)'
              }
              ...
           ]
        }
      }
    }
    
    1. Then reference the app setting when creating the file share
    resource storageSetting 'Microsoft.Web/sites/config@2021-01-15' = {
      name: 'azurestorageaccounts'
      parent: webApp
      properties: {
        '${shareName}': {
          type: 'AzureFiles'
          shareName: shareName
          mountPath: mountPath
          accountName: storageAccount.name
          accessKey: '@AppSettingRef(StorageconnectionString)'
        }
      }
    }
    
    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search