Files

Bert Hausmans b8d7e7a229 Fix logger for Azure App Service and update deployment docs

- Fix logger to handle Azure App Service write restrictions
- Skip file logging in Azure App Service (console logs captured automatically)
- Add deployment scripts for App Service setup
- Update documentation with correct resource names
- Add Key Vault access request documentation
- Add alternative authentication methods for ACR and Key Vault

2026-01-22 00:51:53 +01:00

3.0 KiB

Raw Blame History

Key Vault Access Request - For Administrators

📋 Request Information

Requested by: adm_bhausmans@zuyderland.nl
Date: $(date +%Y-%m-%d)
Purpose: Grant App Services access to Key Vault for CMDB Insight deployment

🔐 Key Vault Details

Key Vault Name: zdl-cmdb-insight-prd-kv
Resource Group: zdl-cmdb-insight-prd-euwe-rg
Key Vault ID: /subscriptions/e9c3e35d-5eca-4bfb-aae5-2e2659d1b474/resourceGroups/zdl-cmdb-insight-prd-euwe-rg/providers/Microsoft.KeyVault/vaults/zdl-cmdb-insight-prd-kv

🎯 Required Access

Role: Key Vault Secrets User
Scope: Key Vault resource
Purpose: Allow App Services to read secrets from Key Vault

📱 App Service Principal IDs

Backend Web App

App Name: zdl-cmdb-insight-prd-backend-webapp
Principal ID: 6bd8373f-f734-4d21-84f2-776fd11b17ae

Frontend Web App

App Name: zdl-cmdb-insight-prd-frontend-webapp
Principal ID: (Get with command below)

🚀 Commands for Administrator

Option 1: Use the Script (Recommended)

cd /path/to/cmdb-insight
./scripts/grant-keyvault-access-admin.sh

Option 2: Manual Commands

# Get Key Vault Resource ID
KV_ID=$(az keyvault show \
  --name zdl-cmdb-insight-prd-kv \
  --query id -o tsv)

# Get Frontend Principal ID (if needed)
FRONTEND_PRINCIPAL_ID=$(az webapp identity show \
  --name zdl-cmdb-insight-prd-frontend-webapp \
  --resource-group zdl-cmdb-insight-prd-euwe-rg \
  --query principalId -o tsv)

# Grant access to Backend
az role assignment create \
  --assignee "6bd8373f-f734-4d21-84f2-776fd11b17ae" \
  --role "Key Vault Secrets User" \
  --scope $KV_ID

# Grant access to Frontend (if needed)
az role assignment create \
  --assignee $FRONTEND_PRINCIPAL_ID \
  --role "Key Vault Secrets User" \
  --scope $KV_ID

Option 3: Via Azure Portal

Navigate to Key Vault: zdl-cmdb-insight-prd-kv
Go to Access control (IAM)
Click Add → Add role assignment
Select role: Key Vault Secrets User
Assign access to: Managed identity
Select members:
- Backend: zdl-cmdb-insight-prd-backend-webapp
- Frontend: zdl-cmdb-insight-prd-frontend-webapp
Click Review + assign

✅ Verification

After granting access, verify with:

# Check role assignments
az role assignment list \
  --scope "/subscriptions/e9c3e35d-5eca-4bfb-aae5-2e2659d1b474/resourceGroups/zdl-cmdb-insight-prd-euwe-rg/providers/Microsoft.KeyVault/vaults/zdl-cmdb-insight-prd-kv" \
  --query "[?principalId=='6bd8373f-f734-4d21-84f2-776fd11b17ae']" \
  --output table

📝 Notes

Key Vault uses RBAC authorization (not access policies)
The role "Key Vault Secrets User" only allows reading secrets (not writing/deleting)
This is the recommended approach for production deployments
Access is granted via Managed Identity (no credentials stored)

docs/AZURE-APP-SERVICE-DEPLOYMENT.md - Complete deployment guide
scripts/grant-keyvault-access-admin.sh - Automated script for admins

3.0 KiB Raw Blame History