0

So I am now getting the error when attempting to run this configuration set in my program.cs file:

var keyVaultConfigBuilder = new ConfigurationBuilder();

//Check these worked and they do for what I have            
var vault = builtConfig["Azure:Vault"];
var clientId = builtConfig["Azure:ClientId"];
var clientSecret = builtConfig["Azure:ClientSecret"];

keyVaultConfigBuilder.AddAzureKeyVault(
  $"https://{builtConfig["Azure:Vault"]}.vault.azure.net/",
  builtConfig["Azure:ClientId"],
  builtConfig["Azure:ClientSecret"]);

//Fails here on building where it succeeded yesterday
var keyVaultConfig = keyVaultConfigBuilder.Build();

And in my appsettings.json (sectionof)

"Azure": {
"Vault": "Expenses",
"ClientId": "(guid for my applicationId)",
"ClientSecret": "(base64 encoded key that never expires)"
},

A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

However just the other day I got it working completely and it was working just fine. I can go to this uri:

https://Expenses.vault.azure.net

And see I get a 403 forbidden which means it least it can be reached. Things I have tried:

  1. Creating a brand new application registration and trying that.
  2. Restarted Visual Studio
  3. Removed 'Access Policies' under Key Vault and attempted to add them back again.
  4. Checked that Firewalls on KeyVault was set to all networks.

When I had it working the other day I was trying lots of things and hooked up a powershell command where I had hooked up remote access to my subscription. Could this need to be set in the application first before hitting the domain of my key vault? I don't know. I just want it to work with the key vault with minimal effort from a .NET Core API 2.1 application.

djangojazz
  • 14,131
  • 10
  • 56
  • 94
  • `(guid for my key that never expires)` is this correct? A secret is not usually a GUID :) It's bytes encoded as base-64. What you could try is call the Azure AD token endpoint manually with those credentials and get an access token for Key Vault. Then try a manual API call with that token. See if that works or not. – juunas Aug 08 '18 at 15:50
  • @juunas Dangit you were right, it's not a GUID. I just assumed it was since the other one was, updated my answer. 'What you could try is call the Azure AD token endpoint manually with those credentials and get an access token for Key Vault.' How? Like https://Expenses.vault.azure.net/(guid)/(base-64secret)? I did try something like that and it gave a 404 I think. – djangojazz Aug 08 '18 at 19:13
  • No, call Azure AD using the client credentials flow (search for azure ad service to service calls). That will give you an access token if your credentials are valid. Then you can call Key Vault's REST API manually with the token attached as a header. You can find documentation for the key vault api pretty easily I think. – juunas Aug 08 '18 at 19:29
  • Here https://learn.microsoft.com/en-us/rest/api/keyvault/ – juunas Aug 08 '18 at 19:30
  • And here https://learn.microsoft.com/en-gb/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow – juunas Aug 08 '18 at 19:30
  • Okay I touched NOTHING and today it works. My guess is a timeout was occurring yesterday on my end or Azure's. – djangojazz Aug 09 '18 at 12:02
  • @juunas The problem with your documentation is they ask for things like 'API version' and things I am not privy to creating in the first place here: https://learn.microsoft.com/en-us/rest/api/keyvault/getsecret/getsecret. I get a 404 every time. I assume there is the Client ID and ClientSecret somewhere put in that is needed. But I put it in the header or as params and no matter what it is 404. App works now is the important part as can a Powershell command. This is interesting but without knowing how to use it it's of no help. – djangojazz Aug 09 '18 at 12:49
  • You need to authenticate first. And then I assume without further reading add an 'Auth': 'Bearer: (some long base64 key)' similar to JWT authentication for your subsequent calls. I figured as much. It says it here: https://learn.microsoft.com/en-us/rest/api/azure/#acquire-an-access-token. That is interesting though but I am going to stop before I get involved in setting up Postmon, Fiddler, etc web requests to test I can get into Azure this way. But ultimately I think it may have just been slowdown to the site. – djangojazz Aug 09 '18 at 13:05

1 Answers1

1

A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond

I test the code your provided and it works fine in my site. The error message your provided basically means that no response was received from the remote host when the TCP connection attempt took place. You could refer to the following steps to troubleshoot.

1.Firewall is blocking the response from the server.Check firewall setting s on production server, renew IP like your local IP.
2.There is a temporary problem with the server.
3.Convert the URL from string to Uri object using: 

Uri myUri = new Uri(URLInStringFormat, UriKind.Absolute);
WebClient client = new WebClient();
client.OpenRead(myUri);

4.Issue happens if the machine that is running the program is behind corporate proxy (or firewall) that allows traffic coming only from authenticated users. By default Azure/IIS configures AppPool to run under NetworkService. Hence, Proxy does not allow traffic coming from this account. Refer to this article to get solution.

Also, as juunas said, you could try is call the Azure AD token endpoint manually with those credentials and get an access token for Key Vault.

For more details, about how to do that, your could refer to this thread.

Joey Cai
  • 18,968
  • 1
  • 20
  • 30
  • My machine is on a dev box at home. Everything is on and opened, but I like your link to getting the bearer token example. So +1 for that. I may use that in the future as I have done some minimal JWT work with header elements with .NET Core services and thought something like that may be needed. – djangojazz Aug 09 '18 at 12:52
  • Do you want to use JWT token to authenticate and get to the key vault? If so, I could do a demo for your. – Joey Cai Aug 14 '18 at 02:48