1

I have come across with the Azure App Configuration service, with the ability to link secret from Azure KeyVault, by creating a new record with an option of Key Vault reference.

I have used Microsoft extension for App Configuration as described in Microsoft Doc

The Steps that have been done

  • Creating a service principle via CMD - ```az ad sp create-for-rbac -n "http://mySP" --sdk-auth
  • Given permission to the created service provider also via CMD - az keyvault set-policy -n <your-unique-keyvault-name> --spn <clientId-of-your-service-principal> --secret-permissions delete get list set --key-permissions create decrypt delete encrypt get list unwrapKey wrapKey

  • Set the client id & secret in environment variables

  • The method implementation 

        public static IHostBuilder CreateHostBuilder(string[] args) =>
                    Host.CreateDefaultBuilder(args)
                    .ConfigureWebHostDefaults(webBuilder =>
                     webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
                     {
                         var settings = config.Build();

                         config.AddAzureAppConfiguration(options =>
                         {
                             options.Connect(settings["ConnectionStrings:AppConfig"])
                                     .ConfigureKeyVault(kv =>
                                     {
                                         kv.SetCredential(new DefaultAzureCredential());
                                     });
                         });
                     })
                     .UseStartup<Startup>());
        }

The issue is started when I trying to fetch data from App Configuration that have at least one KV reference. I'm getting the following error(only in case of that, one KV reference is linked to the App Configuration)

Service request failed. Status: 401 (Unauthorized)

Content:

{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: \r\nCorrelation ID: \r\nTimestamp: 2020-05-27 22:59:52Z","error_codes":[7000215],"timestamp":"2020-05-27 22:59:52Z","trace_id":"","correlation_id":"","error_uri":"https://login.microsoftonline.com/error?code=7000215"}

Headers:
Cache-Control: no-store, no-cache
Pragma: no-cache
Strict-Transport-Security: REDACTED
X-Content-Type-Options: REDACTED
x-ms-request-id: REDACTED
x-ms-ests-server: REDACTED
P3P: REDACTED
Set-Cookie: REDACTED
Date: Wed, 27 May 2020 22:59:51 GMT
Content-Type: application/json; charset=utf-8
Expires: -1
Content-Length: 471

Any help will much appreciate :) Thanks!

Jim Xu
  • 21,610
  • 2
  • 19
  • 39
Avi Siboni
  • 686
  • 7
  • 16
  • From the error message, it seem the client secret is invalid. Do yo have the correct value in the environment: $Env:AZURE_CLIENT_SECRET? – Marcelo May 28 '20 at 02:47

2 Answers2

4

When using the DefaultAzureCredential, it will first try Managed Identity (recommended for services on Azure), and eventually a service principal that requires the following environment variables to be set for the process (both on your application service, as well as for local development - can be different, so long as the service principal ID has appropriate permissions):

  • AZURE_TENANT_ID : the tenant ID
  • AZURE_CLIENT_ID : the service principal ID
  • AZURE_CLIENT_SECRET : the service principal secret (password) you were shown only after creating the service principal

You could also use the new preview of Azure.Identity which supports other authentication schemes more common and easier to use on development machines, such as the Azure CLI (az login), Visual Studio, and Visual Studio Code.

Heath
  • 2,986
  • 18
  • 21
  • Thanks for your answer, but I already did it and it doesn't work, eventually I got the issue, from some reason Visual Studio wasn't able to retrieve the env vars, so I just run the VS as admin – Avi Siboni Jun 03 '20 at 10:58
  • 2
    If Visual Studio was running prior to setting environment variables, you need to restart it for the process to pick them up. You generally shouldn't need to run Visual Studio as administrator. – Heath Jun 04 '20 at 05:16
1

The issue was, that Visual Studio wasn't able to get the Environment Variable from some reason so it does not send with the request, once I ran the Visual Studio as Admin it works

Avi Siboni
  • 686
  • 7
  • 16
  • 1
    In my humble opinion, @Heath deserves his answer to be accepted here. What he said about the environment variables was true. – Sabuncu Mar 18 '21 at 12:56
  • 1
    If you set the environment variables when Visual Studio was running, you have to restart the process to pick them up. Most applications don't handle the broadcast message to re-read environment variables and for apps like VS, they are comprised of many, many child processes that would also need to re-read those variables or get inconsistent results. The fact you ran it as admin probably has less to do with it working than having just started a new process. – Heath Mar 22 '21 at 17:25
  • I was thinking that when the host is running (since it's net core) it will always make a reference to the environment variable. I didn't realize it was using the process, thanks @Heath for the clarification. – Avi Siboni Mar 24 '21 at 10:38
  • 1
    Processes by default inherit their parent processes' environment variables, so if the .NET core compiler was started by VS to, say, build and/or debug, those environment variables are inherited. Also, the `dotnet` CLI may spawn build servers that keep variables, so if it ever seems like you're getting older behavior, run `dotnet build-sever shutdown` to force them to repawn with changed environment variables. Keep in mind that your terminal app may also have to be restarted if you changed environment variables from the System control panel or apps like `setx`. – Heath Mar 25 '21 at 17:33