Connection to Azure Vault using MSI

6
votes

I am trying to connect to my azure vault from a console application with using MSI

For this vault i have added my user as the Selected Principle
the code i am using to connect is 

var azureServiceTokenProvider = new AzureServiceTokenProvider();

var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

var secret = await keyVaultClient.GetSecretAsync("https://<vaultname>.vault.azure.net/secrets/<SecretName>").ConfigureAwait(false);

I get the following exception

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority

enter image description here

3
c.netazureazure-securityshared-secret
Console app... running in Azure on a VM with the automagically generated service principal added to Key Vault's Access Policies? What do you mean by i have added my user as the Selected Principle, that's not how it works, the VM has its own SPN, use it.evilSnobu
I mean i added my AD user as a principle when setting up access policies in the azure vaultMicroMan
I am running the console app locallyMicroMan
What do you mean locally? The whole point of MSI is that it's implemented in the Azure resource. There's no mechanism in place for your local dev machine to acquire an access token.evilSnobu
Do i need to register my console app in azure? and use the applicationId and appSecret in the instance of the KeyVaultClient?MicroMan

3 Answers

8
votes
  1. Enable Managed Service Identity in the Configuration blade under your virtual machine.

Enable MSI in the virtual machine configuration blade

  1. Search for NameOfYourVM service principal and add it to your Key Vault under Access Policies. Add key/secret/certificate permissions.

Add Service Principal to Key Vault

  1. On your Azure VM, run the console app.
class Program
{
    // Target C# 7.1+ in your .csproj for async Main
    static async Task Main()
    {
        var azureServiceTokenProvider = new AzureServiceTokenProvider();

        var keyVaultClient = new KeyVaultClient(
              new KeyVaultClient.AuthenticationCallback(
                    azureServiceTokenProvider.KeyVaultTokenCallback));

        var secret = await keyVaultClient.GetSecretAsync(
              "https://VAULT-NAME.vault.azure.net/secrets/SECRET-NAME");

        Console.WriteLine(secret.Value);
        Console.ReadLine();
    }
}

Console output

To run locally, create your very own Azure AD application registration (Web App/Web API type to make it a confidential client), add it to Key Vault and use its client_id and client_secret when acquiring the access token —
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application#gettoken

As Varun mentioned in the comments, there's now a better way to get an access token when running locally without exposing a service principal —

https://docs.microsoft.com/en-us/azure/key-vault/service-to-service-authentication#local-development-authentication

3
votes

To run locally.

  1. install Azure Cli
  2. Open Windows Powershell
  3. write az login command (it will give an url and code )
  4. Open Url and enter the code which is given with az login

then get the secret value like this

 var secret =  keyVaultClient.GetSecretAsync("https://VAULT-NAME.vault.azure.net/secrets/SECRET-NAME").GetAwaiter().GetResult() ;
     secret.Value; //will be your secret.
2
votes

a correct answer is already given above, here's an additional one :-)

Azure MSI applying with App Service & Vault

  1. Enable System Assigned Managed Identity for your App Service, check Identity section under settings.enter image description here

  2. Add Policy under Vault

  3. configure your code behind

    enter image description here