0

I am trying from my local web api, to retrieve secret from KeyVault using Azure.Identity lib. but it throws Invalid Issuer. Giving below the code I am using

My current code

var client = new SecretClient(new Uri("key-vault-url"), new DefaultAzureCredential());    ==> line #1
var secret = client.GetSecret("DicomSecret").Value;                           ==> line #2

As soon as it parses line#2 it throws the below error. enter image description here

What I have tried

  1. I have added my Azure credential in the KeyVault thru' Add Access Policy
  2. Tried using ManagedIdentityCredential instead of DefaultAzureCredential in line#1
  3. Also tried using VisualStudioCredential instead of DefaultAzureCredential in line#1

I also read that I can be using EnvironmentCredential for which I need to provide AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET but I am not exactly sure how to and what to include for this - I do not have access to AAD.

Please let me know how to resolve this issue.

jAntoni
  • 591
  • 1
  • 12
  • 28
  • Did you get any progress? Pls feel free to share your questions here and if you feel my post is helpful to you, could you pls accept it as the answer? – Tiny Wang Aug 10 '21 at 09:28
  • Yes @TinyWang Thanks for your reply. I have resolved it. From my dev environment (localhost) I have to use `DefaultAzureCredentialOptions VisualStudioTenantId` along with SecretClient. I will add my answer below. – jAntoni Aug 13 '21 at 16:13

2 Answers2

2

Since I was trying to connect to Azure from my local development environment (VS 2019) it was expecting additional credentials.

So from my dev environment (localhost) I had to use DefaultAzureCredentialOptions VisualStudioTenantId along with SecretClient.

var tenantId = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx";
DefaultAzureCredentialOptions options = new DefaultAzureCredentialOptions()
 { 
     VisualStudioTenantId = tenantId, 
     SharedTokenCacheTenantId = tenantId 
};
var client = new SecretClient(
             new Uri(key-vault-url), 
             new DefaultAzureCredential(options)
             );

The above helped me to execute from my local but after deploying it to Azure Ap Service the below line of code was sufficient. So I used the above code only for my local testing.

var client = new SecretClient(new Uri("key-vault-url"), new DefaultAzureCredential());
jAntoni
  • 591
  • 1
  • 12
  • 28
0

This is my code and it seems that there's no difference with yours.

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Identity.Client;
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;

namespace test0430callingapi.Controllers
{
    public class HelloController : Controller
    {
        public async Task<string> IndexAsync()
        {
            const string secretName = "clientsecret";
            var kvUri = "https://keyvaultname.vault.azure.net/";
            var a = new DefaultAzureCredential();
            var client = new SecretClient(new Uri(kvUri), a);
            var secret = await client.GetSecretAsync(secretName);
            string secretVaule = secret.Value.Value;
            return secretVaule ;
        }
    }
}

Then I think you may try to check the DefaultAzureCredential. When running the code in visual studio, we need to make sure that you've signed in with the user which has access permission to azure key vault by Add Access Policy in portal. Or maybe you've added the user, then you could check if has added enough permission for the user.

And if it also failed, you may try another way to access key vault by api. More details you can refer to this answer.

Tiny Wang
  • 10,423
  • 1
  • 11
  • 29