0

I have created an Azure Key Vault which saves my application secrets.

And I want to retrieve the secrets from my Controller code. My controller code is based on ASP.Net core.

From here, https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme

I see the example of how to create a SecretClient

// Create a secret client using the DefaultAzureCredential
var client = new SecretClient(new Uri("https://myvault.vault.azure.net/"), new DefaultAzureCredential());

My question is Since I am running the code on the service side (in Controller side), how can I create DefaultAzureCredential without any interactive authentication?

si Hwang
  • 317
  • 3
  • 14
  • Is your controller code deployed to an Azure Web App with a managed identity? If so, note that this section indicates it will use the managed identtity to connect, which is not an interactive authorization method. https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme#defaultazurecredential in fact, you may find you don't need to use keyvault at all, you can manage all authentication via managed identity. – Nick.Mc Jul 07 '22 at 06:42
  • azure key vault configuration builder: https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-6.0 – Thomas Jul 07 '22 at 07:08
  • azure key vault reference in azure app settings: https://learn.microsoft.com/en-us/azure/app-service/app-service-key-vault-references?tabs=azure-cli – Thomas Jul 07 '22 at 07:08
  • Hi @si Hwang, did the suggested solution work for you? Do let me know if it solved your problem else share more details so I can troubleshoot or else do accept it for helping other community members. – Venkatesan Jul 15 '22 at 13:02

1 Answers1

0

According to Document referred by you under DefaultAzureCredential , In service side you can use the application with user Managed Identity,DefaultAzureCredential will authenticate with that account which is without interactive mode.

  • As the DefaultAzureCredential will read account information via environment variables and use it to authenticate.

enter image description here

// When deployed to an azure host, the default azure credential will authenticate the specified user assigned managed identity.

string userAssignedClientId = "<your managed identity client Id>";

var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = userAssignedClientId });

var blobClient = new BlobClient(new Uri("https://myaccount.blob.core.windows.net/mycontainer/myblob"), credential);

The Azure_client_id environment variable can be used to set the ManagedIdentityClientId in addition to setting it via code. When utilising the DefaultAzureCredential, these two approaches are equal. Without having to expose credentials in your code, you may use this identity to log in to any service that accepts Azure AD authentication, including Key Vault.

You can also refer this MS-Document more in detail to use managed identity to connect Key Vault to an Azure web app in .NET

Venkatesan
  • 3,748
  • 1
  • 3
  • 15