0

I have a Visual Studio 2022 solution that includes multiple project types, one of which is a .NET Core website and the other is an Azure Function app.

I'm using Azure Key Vault to store secrets, and I'm using the DefaultAzureCredential to retrieve secrets in the website project without any issues.

var keyVaultUrl = Environment.GetEnvironmentVariable("AzureKeyVaultUrl");
            var client = new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential());

            var storageAccountName = client.GetSecretAsync("StorageAccountName").GetAwaiter().GetResult().Value;

However, when I run the Azure Function app locally and try to retrieve secrets from Azure Key Vault in the same way, I get the following error message:

Azure.Identity.AuthenticationFailedException: SharedTokenCacheCredential authentication failed: AADSTS9002332: Application 'cfa8b339-82a2-471a-ju0L-0fc0be7a4093' (Azure Key Vault) is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request.

I suspect that the error is related to the identity of the process running the Azure Function app in Visual Studio.

I've checked that I'm running Visual Studio as an admin, but the error still persists.

I have also checked Tools > Options > Azure Service Authentication is set correctly and signed in.

How can I check the identity of the process running the Azure Function app in Visual Studio?

Any suggestions on how to fix this issue would be greatly appreciated.

Ayo Adesina
  • 2,231
  • 3
  • 37
  • 71

1 Answers1

0

I tried the code below in my environment for getting my secrets from keyvault :_

Code:-

using System;
using System.Net;
using Microsoft.AspNetCore.Http;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Routing;
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Azure.WebJobs.Extensions.Http;
using Microsoft.Azure.WebJobs;
using Microsoft.Extensions.Logging;

namespace keyvaultfunction
{
    public static class Function1
    {
        [FunctionName("Function1")]
        public static async Task<IActionResult> Run(
            [HttpTrigger(AuthorizationLevel.Function, "get", Route = null)]
            HttpRequest req, ILogger log)
        {
            string secretName = "<serete_name>";
            string keyVaultName = "<keyvault_name>";

            try
            {
                var azureServiceTokenProvider = new AzureServiceTokenProvider();
                var keyVaultClient = new KeyVaultClient(
                    new KeyVaultClient.AuthenticationCallback(
                        azureServiceTokenProvider.KeyVaultTokenCallback));

                // Get the secret value from Key Vault
                var secret = await keyVaultClient.GetSecretAsync(
                    $"https://{keyVaultName}.vault.azure.net/secrets/{secretName}")
                    .ConfigureAwait(false);

                return new OkObjectResult(secret.Value);
            }
            catch (Exception ex)
            {
                log.LogError(ex.Message);
                return new StatusCodeResult((int)HttpStatusCode.InternalServerError);
            }
        }
    }
}

Output:-

Received the HTTP URL of my function:

enter image description here

With the above URL , I got my secret value in the browser like below:-

enter image description here

Which is the same secret value in azure portal:-

enter image description here

In order to resolve your error check the solution in the Github issue link below and try the above code:-

Error: (Azure Key Vault) is configured for use by Azure Active Directory users only. “Please do not use the /consumers endpoint to serve this request” · Issue #71592 · MicrosoftDocs/azure-docs · GitHub By VicSmith

Dasari Kamali
  • 811
  • 2
  • 2
  • 6