0

I was able to create a keyvault, add secret, be able to display on the screen following this tutorial on YouTube. The only problem is that it's only working when I deploy to azure. And, so far, all the codes assume that I want to deploy to azure.

I found this response to a Stackoverflow question that explains how to do it on VS Code. The problem is that the code is different from mine, probably because the question was asked in 2019 while I'm using the DotNet5.0. Here's my code. It was created by

  1. Going to Connected Services

  2. Add Service

  3. Select Key vault, by following the Wizard.

    public static IHostBuilder CreateHostBuilder(string[] args) =>
    Host.CreateDefaultBuilder(args)
        .ConfigureAppConfiguration((context, config) =>
        {
            var keyVaultEndpoint = new Uri(Environment.GetEnvironmentVariable("VaultUri"));
            config.AddAzureKeyVault(
            keyVaultEndpoint,
            new DefaultAzureCredential());
        })
        .ConfigureWebHostDefaults(webBuilder =>
        {
            webBuilder.UseStartup<Startup>();
        });

Each time I run it locally, I get the following exception.

{"error":{"code":"Forbidden","message":"Access denied to first party service.
  Caller: name=from-infra;tid=f8cdef31-a31e-4b4a-93e4-5f571e91255a;
  appid=872cd9fa-d31f-45e0-9eab-6e460a02d1f1;
  ...
  "innererror":{"code":"AccessDenied"}}}

I've run the following code.

az keyvault set-policy --name 'myKeyvault' --object-id 872cd9fa-d31f-45e0-9eab-6e460a02d1f1 --secret-permissions get

The following line was added in the key vault Access Policies table. enter image description here

Yet, when I tried to run the application locally, I still got the same error. Is there a step I am missing?

Thanks for helping

Richard77
  • 20,343
  • 46
  • 150
  • 252
  • I tried the sample offered by the youtube tutorial, and it did work in vs code. And I haven't signed in any accounts in vs code. Odd here. – Tiny Wang Mar 04 '21 at 08:13
  • Did you ever resolve this? I am fighting with the same thing. – Dave Apr 22 '21 at 05:59

1 Answers1

0

I used to gather azure key vault secret via this sample, I added the access policy for the user in my tenant which also used to sign in visual studio. This may help...

using System;
using System.Threading.Tasks;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

namespace key_vault_test
{
    class Program
    {
        static async Task Main(string[] args)
        {
            const string secretName = "test0120";
            var kvUri = "https://fortest0120.vault.azure.net/";
            var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());

            var secret = await client.GetSecretAsync(secretName);
            Console.WriteLine($"Your secret is '{secret.Value.Value}'.");
        }
    }
}

And in my opinion, there's also another choice to obtain secrets, that's using key vault api, what you need to do is creating an azure ad app and and api permission for key vault, but this api just has delegated permission so that you can only use password flow(auth code or ropc) to generate the access token. Here you need to add access policy for the application you registered and those users(groups is preferred if there're many users, you could add those users into a group)

Tiny Wang
  • 10,423
  • 1
  • 11
  • 29