Programatically adding Secrets to Key Vault in C#

Question

I am attempting to put some output from a service I am running in a Key Vault in Azure. The output of my service will be user credentials which is why I want to use Key Vault for this purpose.

So far, I have tried the KeyVaultClient's SetSecretAsync method, but it's not working for me, I am not getting any error messages however I'm also not seeing a new secret created in my targetted KeyVault. I have not been able to find a KeyVaultClient Add Secret method as it does not exist, am I using the right object/method here?

The method in question here is AddResult.

Here is my code:

    private static AzureKeyVault instance;
    private static KeyVaultClient client;
    private AzureKeyVault()
    {
        //initialize the azure key vault
        var vaultAddress = ConfigurationManager.AppSettings["VaultUri"];
        client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken));


    }
    public static async Task<string> GetAccessToken(string authority, string resource, string scope)
    {
        var clientId = ConfigurationManager.AppSettings["ClientID"];
        var clientSecret = ConfigurationManager.AppSettings["ClientSecret"];
        ClientCredential clientCredential = new ClientCredential(clientId, clientSecret);

        var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
        var result = await context.AcquireTokenAsync(resource, clientCredential);

        return result.AccessToken;
    }


    public static AzureKeyVault GetInstance
    {
        get
        {
            if (instance == null)
            {
                instance = new AzureKeyVault();
            }
            return instance;
        }
    }

    public void AddResult(string machineIPAndPort, BruteForceResult result)
    {
        client.SetSecretAsync("https://vaultURI(redacted).vault.azure.net/", machineIPAndPort, JsonConvert.SerializeObject(result));
    }

Goal == Title (Add Secret to Key Vault) Result == No secret added and no error messages. — Kyle Bachmann, Oct 18 '17 at 19:01
In the Secret, the machineIPandPort would be the name, and the serialized result would be the Value. — Kyle Bachmann, Oct 18 '17 at 19:03
Shouldn't you await that `SetSecretAsync` call (or `.Result` if you're in a real hurry)? Works just fine for me. — evilSnobu, Oct 18 '17 at 19:10
How would I do that? just save the output of the SetSecretAsync to a variable and await it? like var res = await client.SetSecretAsync then change my return type on AddResult? — Kyle Bachmann, Oct 18 '17 at 19:12

evilSnobu · Accepted Answer · 2018-06-15T05:45:45.787

Use patience (await creation).

// Let's create a secret and read it back
string vaultBaseUrl = "https://alice.vault.azure.net";
string secret = "from-NET-SDK";

// Await SetSecretAsync
KeyVaultClient keyclient = new KeyVaultClient(GetToken);
var result = keyclient.SetSecretAsync(vaultBaseUrl, secret, "Sup3eS3c5et").Result;

// Print indented JSON response
string prettyResult = JsonConvert.SerializeObject(result, Formatting.Indented);
Console.WriteLine($"SetSecretAsync completed: {prettyResult}\n");

// Read back secret
string secretUrl = $"{vaultBaseUrl}/secrets/{secret}";
var secretWeJustWroteTo = keyclient.GetSecretAsync(secretUrl).Result;
Console.WriteLine($"secret: {secretWeJustWroteTo.Id} = {secretWeJustWroteTo.Value}");

Result:

SetSecretAsync completed:

{  
   "SecretIdentifier":{  
      "BaseIdentifier":"https://alice.vault.azure.net:443/secrets/from-NET-SDK",
      "Identifier":"https://alice.vault.azure.net:443/secrets/from-NET-SDK/59793...",
      "Name":"from-NET-SDK",
      "Vault":"https://alice.vault.azure.net:443",
      "VaultWithoutScheme":"alice.vault.azure.net",
      "Version":"597930b70565447d8ba9ba525a206a9e"
   },
   "value":"Sup3eS3c5et",
   "id":"https://alice.vault.azure.net/secrets/from-NET-SDK/59...",
   "contentType":null,
   "attributes":{  
      "recoveryLevel":"Purgeable",
      "enabled":true,
      "nbf":null,
      "exp":null,
      "created":1508354384,
      "updated":1508354384
   },
   "tags":null,
   "kid":null,
   "managed":null
}

secret: https://alice.vault.azure.net/secrets/from-NET-SDK/59793... = Sup3eS3c5et

What you should really do is rewrite AddResult():

public bool AddResult(string machineIPAndPort, BruteForceResult result)
{
    await result = client.SetSecretAsync("https://vaultURI(redacted).vault.azure.net/",
        machineIPAndPort, JsonConvert.SerializeObject(result));

    return true;
}

And maybe wrap that in a try-catch and read the InnerException since that's where the meaningful HTTP response body will be. For example, making the request against a Key Vault i don't have access to results in:

And also because this is the cloud, you're in for fierce competition with other mission critical traffic, things will fail.

This worked wonderfully, thank you. I guess the issue was that I had to await the result... something you'd think they would document. Thank you EvilSnobu — Kyle Bachmann, Oct 18 '17 at 19:23
You actually taught me a lot about how async works and little kluges on getting the results instead of implimenting async... Thank you sir! — Kyle Bachmann, Oct 18 '17 at 19:30
But you should not do that, you should implement proper async/await. But you know.. life's short :) — evilSnobu, Oct 18 '17 at 19:31
haha I figured it is kinda of a kluge,,, but I appreciate the quick win =) thanks again. — Kyle Bachmann, Oct 18 '17 at 19:32

Programatically adding Secrets to Key Vault in C#

1 Answers1

Linked