Would using Managed Service Identity prevent connecting to KeyVault in debug mode

2
votes

I'm trying to implement Azure KeyVault in my Azure Functions app following this article: https://medium.com/statuscode/getting-key-vault-secrets-in-azure-functions-37620fd20a0b

In the article, the function app is set to use Managed Service Identity (MSI) so that we don't have to use a secret to get a token in order to connect to Azure KeyVault. Because that would kind of defeat the purpose of using Azure KeyVault.

As I understand it, an Azure app can be registered to use MSI so that other Azure resources recognize it directly, thus simplifying the connection process by eliminating the need to get a token, etc.

However, as I debug my Azure functions app, I'm unable to connect to Azure KeyVault to retrieve the necessary secrets.

I feel maybe that's happening because the functions app is running locally during debug and not on Azure.

Would this be the reason why I'm unable to connect to KeyVault?

3
azureazure-functionsazure-keyvault
This is what I just ran into and had the exact same suspicion. Thanks for posting this.Joey Eng

3 Answers

2
votes

Yes unfortunately MSI will only get a token when running inside of the Azure Functions service. I did update my sample about a week ago with a new #if region I use to pull secret from local variables if in DEBUG mode.

https://github.com/jeffhollan/functions-csharp-keyvault-eventhub/blob/master/ScaleTestV1_NoHost/Http.cs

1
votes

There is a better solution available now for this problem of using Managed Service Identity during local development in debug mode (at least for .NET applications and functions).

You can use Microsoft.Azure.Services.AppAuthentication package.

Relevant Code Sample.. (from references below)

using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Azure.KeyVault;
// ...
var azureServiceTokenProvider = new AzureServiceTokenProvider();
string accessToken = await azureServiceTokenProvider.GetAccessTokenAsync("https://vault.azure.net");
// OR
var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

How to use managed identities for App Service and Azure Functions

Microsoft.Azure.Services.AppAuthentication Reference

The Microsoft.Azure.Services.AppAuthentication for .NET library simplifies this problem. It uses the developer's credentials to authenticate during local development. When the solution is later deployed to Azure, the library automatically switches to application credentials.

For further details about, how AzureServiceTokenProvider fetches tokens using Visual Studio, Azure CLI or Azure AD Integrated Authentication.. Read here

0
votes

As an addendum of Rohit Saigal answer please notice following:

Locally development within Visual Studio using Azure Key Vault service depends on "Azure Services Authentication Extension" https://marketplace.visualstudio.com/items?itemName=chrismann.MicrosoftVisualStudioAsalExtension#overview which is integrated into Visual Studio since version 15.6 onward and don't need to be installed separately.

Check Visual Studio/Tools/Options/Azure Services Authentication to see which account you use to auth within Azure services, and set appropriate.