0

I've been reading a lot lately about managing secrets with Azure Key Vault. I managed to create and install a .pfx certificate in a server with Ubuntu 20.04 and uploaded the certificate to my Azure AD following these steps.

The certificate is found correctly before connecting to my Key Vault and the secrets are retrieved when I am in development both from Windows and Linux (WSL). However, when I deploy the app to my production server, the service I created to manage kestrel throws a 'core-dump' error, similar to this issue.

But in my case, when I check the journal, I find the following:

Unhandled exception. System.InvalidOperationException: Sequence contains no elements

Surprisingly, this doesn't happen if I just manually run the application by using "dotnet app.dll".

How is this even possible? It opens the store, finds the certificate and access the secrets if I run it manually but doesn't find anything when is run by the service.

This is the relevant code I am using to configure the access to Key Vault in my Program.cs:

// Azure Key Vault configuration.
using var store = new X509Store(StoreLocation.CurrentUser);
store.Open(OpenFlags.ReadOnly);
var certs = store.Certificates.Find(X509FindType.FindByThumbprint, configuration["KeyVault:AzureADCertThumbprint"], false);

configuration.AddAzureKeyVault(
    new Uri($"https://{configuration["KeyVault:KeyVaultName"]}.vault.azure.net/"),
    new ClientCertificateCredential(configuration["KeyVault:AzureADDirectoryId"], configuration["KeyVault:AzureADApplicationId"], certs.OfType<X509Certificate2>().Single()),
    new KeyVaultSecretManager());

store.Close();

Can anyone help me to find the issue? Thanks in advance.

Felipe
  • 47
  • 1
  • 7
  • You're using the CurrentUser cert store for keyvault connection creds. Is the user when running as a service the same as the user when you run it manually? I'm guessing not, and that the service user doesn't have the keyvault-connecting cert. (and thus `certs.OfType().Single()` fails) – bartonjs Dec 29 '21 at 07:24
  • That solved it! I changed the user www-data in my service to my actual user and now everything works. Thank you! – Felipe Dec 30 '21 at 16:52

1 Answers1

0

  • I checked some Microsoft docs and I didn't found anything wrong with code to access the key vault. I guess you may forget something in application setting on portal, as your code has no problem.

  • After creating your certificate, configure Azure AD and associate the certificate after that we can access Azure Key Vault from .NET Client using X509 Certificate.

  • After importing the certificate and casting Certificate Data to Base64, we should create Azure Resource Manager AD Application and Service Principal. Successfully configuring Azure Resource Manager Application and Service Principal for an Azure Key Vault could solve the problem you are facing.

enter image description here

Check this Accessing Azure Key Vaults Using Certification and Setup Key Vault using Azure AD Application and Certificates for more information.

SauravDas-MT
  • 1,224
  • 1
  • 4
  • 10
  • Thanks for your answer. I believe the configuration in the Azure Portal was done right, otherwise I couldn't access the vault in development or even from my production server if I run the app manually. It is just when the app is run by the service that it can't access the vault. I haven't been able to solve the problem yet. – Felipe Dec 27 '21 at 20:21