AzureAppConfiguration does not work with Azure.Identity.TokenCredentials

Question

I try to add AzureAppConfiguration to my dotnet core web application using the following Code:

var azureCredential = new DefaultAzureCredential();
config.AddAzureAppConfiguration(options =>
  options.Connect(new Uri("https://MYCONFIGURATION.azconfig.io"), azureCredential).ConfigureKeyVault(kv =>
    {
      kv.SetCredential(azureCredential);
    })
    ....

this fails with the Following Error:

Azure.RequestFailedException: Service request failed. Status: 403 (Forbidden)

If I do use the Connection String to connect to the AzureAppConfiguration itself it does work:

var azureCredential = new DefaultAzureCredential();
config.AddAzureAppConfiguration(options =>
  options.Connect("Endpoint=https://ac-mobileapps-dev.azconfig.io;Id=MYID;Secret=MYSECRET").ConfigureKeyVault(kv =>
    {
      kv.SetCredential(azureCredential);
    })
    ....

I run this on my local machine, so the default credentials return my AzureCLI Creds. With those same creds I can run

 az appconfig kv list -n MYCONFIGURATION

and retrieve all values.

score 1 · Accepted Answer · answered May 01 '21 at 21:37

1

Please make sure you grant your identity App Configuration Data Reader or App Configuration Data Owner role in the Access Control of your App Configuration instance and wait for ~15 minutes for the permission to propagate.

More details can be found at https://learn.microsoft.com/en-us/azure/azure-app-configuration/concept-enable-rbac

BTW, the CLI command you used doesn't use AAD auth. Use the --auth-mode parameter to specify how you want to authenticate.

az appconfig kv list -n MYCONFIGURATION --auth-mode login

answered May 01 '21 at 21:37

Zhenlan Wang

1,213
8
10

Thanks for your suggestion. If I use `az login` and than `az appconfig kv list ...` it does use my AAD Creds (spezified on the az login command). As mentioned: I run this on my local machine, I try to get this working locally first (AzureCLICredentials) no Managed Idenitty Involved. – quadroid May 03 '21 at 04:45
It uses your AAD Creds to get the connection string of your App Configuration store and then uses the connection string to retrieve your data. If you want to use AAD Creds to authenticate with the service and retrieve data directly, you need to pass in `--auth-mode login` – Zhenlan Wang May 03 '21 at 19:20
1

Ahh, that is strange. You are right. If I have `App Configuration Data Reader` everything works. – quadroid May 04 '21 at 15:56

AzureAppConfiguration does not work with Azure.Identity.TokenCredentials

1 Answers1