7

I have a local asp.net core 3.1 application that I want to set a secret in an Azure Key Vault. The following is the code I used from Microsoft:

string secretName = "xxSecret";

string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");
var kvUri = "https://" + keyVaultName + ".vault.azure.net";
var secretClient = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());

string secretValue = "test";
secretClient.SetSecret(secretName, secretValue);
KeyVaultSecret secret = secretClient.GetSecret(secretName);

When I try to set a secret, I get the following error in Postman:

Azure.Identity.AuthenticationFailedException: DefaultAzureCredential authentication failed.
 ---> Azure.Identity.AuthenticationFailedException: SharedTokenCacheCredential authentication failed.
 ---> Microsoft.Identity.Client.MsalServiceException: AADSTS70002: The client does not exist or is not 
enabled for consumers. If you are the application developer, configure a new application through the 
App Registrations in the Azure Portal

I don't want to register this app, yet as I want to debug this locally. I'm guessing the issue is that I don't a correct Access Policy set up. How do I grant my local app access?

(Before I run the app locally, I authenticate to my Azure directory using Azure PowerShell. )

user1647160
  • 491
  • 1
  • 10
  • 25

1 Answers1

7

How do I grant my local app access?

For local development, AzureServiceTokenProvider fetches tokens using Visual Studio, Azure CLI, or Azure AD Integrated Authentication. Each option is tried sequentially and the library uses the first option that succeeds.

To authenticate by using Visual Studio:

Sign in to Visual Studio and use Tools > Options to open Options.

Select Azure Service Authentication, choose an account for local development, and select OK.

On azure, you need to go to your Azure keyvault. Click Access Policies and add your account which login vs before with Get and Set permission for secret. Then you could use your code to get the secret value.

Also you could use AzureServiceTokenProvider to get secret without initializing your secret value.

var KeyVaultUrl = "https://xxx.vault.azure.net/secrets/xxx/xxxxxxxxxxxxxx";
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = keyVaultClient.GetSecretAsync(KeyVaultUrl).Result.Value;
d219
  • 2,707
  • 5
  • 31
  • 36
Joey Cai
  • 18,968
  • 1
  • 20
  • 30
  • Sorry I didn't respond sooner. That solved my issue. – user1647160 Apr 22 '20 at 05:15
  • 2
    Note Microsoft.Azure.Services.AppAuthentication is no longer recommended to use with new Key Vault SDK. It is replaced with new Azure Identity library DefaultAzureCredentials available for .NET, Java, TypeScript and Python and should be used for all new development. More information can be found here: [Authentication and the Azure SDK](https://devblogs.microsoft.com/azure-sdk/authentication-and-the-azure-sdk/). – 321X Aug 26 '20 at 18:47
  • Hi Cai, In my local, it's working fine but not working in Azure App Service when I deploy. I have used Azure.Core to get a token so how to authenticate from IIS server or App Service? – Md Aslam Sep 17 '20 at 06:42
  • 1
    Hi @MdAslam, you have to turn your App Service as a Managed Identity (in you App Service, select "Identity" in the "Settings" part on left panel and set status "on"). Then allow your App Service to access your KeyVault through "Access Policies", and set _GET_ permission on **Secrets**. Like this, your code should be able to work both locally and remotly. – Michaël Maillot Nov 27 '20 at 12:26