1

I've added a service bus triggered function to create a key vault via the Microsoft.Azure.Management.Fluent library.

The function runs fine locally and creates a new key vault within my MSDN subscription, however, when it's deployed into Azure and tries to create a Key Vault in our company test subscription using the function app managed service identity it fails with an ArgumentNullException from Guid.Parse.

Stack Trace

Inner exception System.ArgumentNullException handled at CollectorFunctions.Proxies.KeyVaultProxy+d__9.MoveNext:
at System.Guid.Parse (System.Private.CoreLib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=7cec85d7bea7798e)
at Microsoft.Azure.Management.KeyVault.Fluent.VaultsImpl.WrapModel (Microsoft.Azure.Management.KeyVault.Fluent, Version=1.0.0.68, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at Microsoft.Azure.Management.KeyVault.Fluent.VaultsImpl.Define (Microsoft.Azure.Management.KeyVault.Fluent, Version=1.0.0.68, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at Microsoft.Azure.Management.KeyVault.Fluent.VaultsImpl.Microsoft.Azure.Management.ResourceManager.Fluent.Core.CollectionActions.ISupportsCreating<Microsoft.Azure.Management.KeyVault.Fluent.Vault.Definition.IBlank>.Define (Microsoft.Azure.Management.KeyVault.Fluent, Version=1.0.0.68, Culture=neutral, PublicKeyToken=31bf3856ad364e35)
at CollectorFunctions.Proxies.KeyVaultProxy+d__9.MoveNext (CollectorFunctions, Version=1.0.0.0, Culture=neutral, PublicKeyToken=nullCollectorFunctions, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null: D:\a\1\s\src\Server\CollectorFunctions\Proxies\IKeyVaultProxy.csCollectorFunctions, Version=1.0.0.0, Culture=neutral, PublicKeyToken=null: 86)

The error occurs running the following statement which was taken from the ManageKeyVault sample project linked from this repro. The supplied parameters all have valid values and the resourceGroup was looked up via IAzure.ResourceGroups.GetByNameAsync(resourceGroupName).

await _azure.Vaults
      .Define(newKeyVaultName)
      .WithRegion(resourceGroup.Region)
      .WithExistingResourceGroup(resourceGroupName)
      .WithEmptyAccessPolicy()
      .CreateAsync();
Rob Willis
  • 4,706
  • 2
  • 28
  • 20
  • So, when running locally your identity is being used to create the key vault in the sub. When running in Azure, what identity is being used? Does that identity have the same rights as you? – Troy Witthoeft Mar 19 '21 at 19:26
  • It's using the Managed Service Identity for the function app. The identity was initially assigned the Key Vault Contributor role on the Resource Group, then raised to Contributor role and finally Owner of the Resource Group but always get the same error. – Rob Willis Mar 20 '21 at 20:59
  • I think it's this line: https://github.com/Azure/azure-libraries-for-net/blob/391e9bfe9424045226c8e3f06f05598bc9f400a6/src/ResourceManagement/KeyVault/VaultsImpl.cs#L100 which is looking for a TenantId, but I'm not sure how to provide it. – Skrymsli Mar 23 '21 at 21:41

1 Answers1

1

In my case, I didn't realize there's a tenantId parameter when getting credentials. I needed to supply tenantId:

var msi = new MSILoginInformation(MSIResourceType.VirtualMachine);
var creds = SdkContext.AzureCredentialsFactory.FromMSI(msi,
 AzureEnvironment.AzureGlobalCloud, 
*** tenantId ***);

Since your stack trace looks exactly like mine, I'm guessing this is the problem. If you specify the tenantID when you get credentials then I think it should work for you. To get the TenantId go to the Azure AD where your identity resides and it should be listed on the overview page.

Skrymsli
  • 5,173
  • 7
  • 34
  • 36