0

I am asking for your help because i have some trouble with the connection of my app to Azure key vault (title of the subject).

The architecture of my project looks like this : (I can't upload images yet)

Web.Client

  • Properties
  • wwwroot
  • Shared
  • ...
  • Program.cs

Web.Server

  • Properties
  • Controllers
  • Pages
  • appsettings.json
  • Startup.cs
  • Program.cs

So far, I managed to connect to my AAD using appsettings.json files to configure the ids etc. and I've add Msal authentication in the Program.cs file in Web.Client part of the project.

To connect to my key vault, I've done this in my Startup.cs (I'm following this tutorial https://learn.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app) :

 SecretClientOptions options = new SecretClientOptions()
 {
      Retry =
      {
          Delay= TimeSpan.FromSeconds(2),
          MaxDelay = TimeSpan.FromSeconds(16),
          MaxRetries = 5,
          Mode = RetryMode.Exponential
      }
 };

 var client = new SecretClient(new Uri("https://<kv-name>.vault.azure.net/"), new DefaultAzureCredential());

 KeyVaultSecret secret = client.GetSecret("test-secret");

 string secretValue = secret.Value;

But I'm getting the following error :

Azure.RequestFailedException : 'AKV10032: Invalid issuer. Expected one of https://sts.windows.net/<...>/, https://sts.windows.net/<...>/, https://sts.windows.net/<...>/, found https://sts.windows.net/<...>/.
Status: 401 (Unauthorized)
ErrorCode: Unauthorized
Foufi
  • 15
  • 7
  • If you used visual studio, have you signed in the user which has access permission configured in azure key vault access policy? Using default credential need to follow [this rule](https://learn.microsoft.com/en-us/java/api/overview/azure/identity-readme?view=azure-java-stable#defaultazurecredential). – Tiny Wang May 04 '21 at 08:22
  • Yes i have signed in with same user i acess permissions :) i have full permissions on the entire ad and i specified the access policies with full access to my keyvault – Foufi May 04 '21 at 08:33
  • 1
    The sample you provided in the question demonstrate add azure web app service principle in azure key vault and after deploying local project to azure, it can access vault secrets. Have you tried to publish it to azure following the tutorial or you've just tested in your localhost? – Tiny Wang May 04 '21 at 08:47
  • With the error information, it says Invalid issuer which refer to an invalid tenant, it may come from the key vault created in the tenant which is not the default tenant. – Tiny Wang May 04 '21 at 09:02
  • I haven't published yet on Azure, I am testing in my localhost so far. And I've check the keyvault is in my default tenant – Foufi May 04 '21 at 09:10
  • I believe this error will disappear after you publish the project to azure web app and give that app full permission in access policy. I think you may check in visual studio-> file-> account settings-> if the tenant in vs matches the tenant you create key vault instance. – Tiny Wang May 04 '21 at 09:36
  • I'm gonna try that, i'll let you know how it goes! For the tenant, I'm sure it's the right one : the AAD connection works perfectly, i set the tenantId et ClientId in the appsettings.json file – Foufi May 04 '21 at 09:38
  • Thanks for your patience, and there's really many similar case with `AKV10032 Invalid issuer azure key vault`, good luck sir. – Tiny Wang May 04 '21 at 09:48
  • By the way, only this line code, I can got the secrets vaule. https://i.stack.imgur.com/JS6Oz.png – Tiny Wang May 04 '21 at 09:56
  • But is your VS account signed into the same tenant? This is a multi-tenancy issue. You can actually override the tenant, but then lose the portability of your code for DefaultAzureCredential, which we created precisely to be portable. – Heath May 05 '21 at 17:37
  • my vs account is the same account connected to the tenant, i don't know if that answers the question ? ^^' i have 2 tenant with my account, but i'm using the default one. How can I know which tenant I am connected with vs ? I'm using defaultAzureCredential and i have defined the environmental variables AZYRE_CLIENT_ID etc ... in my launchsettings.json file – Foufi May 06 '21 at 07:33
  • @Foufi Visual Studio-> file-> account settings and you can see the tenant used in IDE. Have you tried to deploy your code to azure app service? I think after deploying, this your issue will disappear. – Tiny Wang May 12 '21 at 05:40
  • I did not deploy my code, since I'm working in local only for the moment. And I have solved the error (I don't remember how) Now i have other problems x) (create controller to get secrets) – Foufi May 12 '21 at 08:44

1 Answers1

0

You can refer my code, maybe it would help you somewhere

using Microsoft.Azure.KeyVault;
using Microsoft.IdentityModel.Clients.ActiveDirectory;

public static class KeyVaultHelper
{
    private static string CLIENT_ID = "AppClientID";
    private static string BASE_URI = "KeyVaultBaseURL";
    private static string CLIENT_SECRECT = "ClientSecrect";

    

    public static async Task FetchKey()
    {
        try
        {
            var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessTokenAsync), new HttpClient());
            var Key = await GetSecretAsync(client, "Test-secrect");
        }
        catch (Exception e)
        {
            throw;
        }
    }

    public static async Task<byte[]> GetSecretAsync(KeyVaultClient client, string key)
    {
        var secret = await client.GetSecretAsync(BASE_URI, key);
        return Convert.FromBase64String(secret.Value);
    }

    private static async Task<string> GetAccessTokenAsync(string authority, string resource, string scope)
    {
        var appCredentials = new ClientCredential(CLIENT_ID, CLIENT_SECRECT);
        var context = new AuthenticationContext(authority, TokenCache.DefaultShared);

        var result = await context.AcquireTokenAsync(resource, appCredentials);

        return result.AccessToken;
    }

}

Note - Change your ClientID, Base_URI and Client_Secrect

  • Update - Please note that the call to KeyVault does not work on WASM due to CORS issue.
Kumar
  • 303
  • 6
  • 17