MSI authentication to Azure Key Vault not working locally with VS 2017 and IISExpress

2
votes

I've implemented a solution using Azure Key Vault for encryption keys. I've followed the recommendations from the docs at https://docs.microsoft.com/en-us/azure/app-service/app-service-managed-service-identity for how to authenticate my App Service to the Azure Key Vault using Managed Service Identity. My app service is an asp.net core 2.1 application.

This is working when I publish the app service to my Azure subscription so I'm confident that the implementation is correct. The problem is with running the code locally and attempting to connect to the Azure Key Vault using MSI doesn't seem to be working for me as advertised.

I'm running Visual Studio 2017 Version 15.8.5. My corporate identity with Azure Active Directory is how I'm logged into VS (i.e. sbraswell@myemployer.com). However, the Azure subscription I'm using is part of my MSDN partner benefits and is associated with my Microsoft Account (MSA) (i.e. something@hotmail.com). I've granted my corporate AAD identity 'Owner' Role permissions to my subscription. I'm able to log in to the Azure portal as my corporate identity and access all aspects of my Azure subscription associated with my MSA account.

The following code is not throwing an exception when getting an access token to Azure Key Vault:

var tokenProvider = new 
Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider();
var token = await tokenProvider.GetAccessTokenAsync(resource);
return token;

This code is throwing an exception when I attempt to resolve the specific encryption key from the vault:

var keyEncryptionKey = await cloudResolver.ResolveKeyAsync(keyId, CancellationToken.None)

The exception thrown is:

Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Operation returned an invalid status code 'Unauthorized'
   at Microsoft.Azure.KeyVault.KeyVaultClient.GetKeyWithHttpMessagesAsync(String vaultBaseUrl, String keyName, String keyVersion, Dictionary`2 customHeaders, CancellationToken cancellationToken)
   at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.GetKeyAsync(IKeyVaultClient operations, String keyIdentifier, CancellationToken cancellationToken)

I'd like to be able to deploy the solution using MSI for authentication so we don't have to create an Active Directory Application that acts as the intermediary between the App Service and the Key Vault. We end up having to put the App ID and App Secret into our app service configuration and with MSI we avoid having to manage those two extra bits of sensitive data.

Thanks in advance for any suggestions you have.

UPDATE

I've confirmed that if I use a Key Vault that is part of a subscription associated with my corporate AAD account, the MSI authentication from VS works correctly without an exception. There must be something wrong with my configuration. Does anyone else have this issue with their Microsoft Partner Network Visual Studio Enterprise Subscription Azure benefits? Identity management with MS is a MesS :(

2
azureiis-expressazure-keyvaultazure-authentication
Did you configure the account in Tools -> Options -> Azure Service Authentication?juunas
@juunas yes, I've configured each account there with different results. If I use my corporate account I get the 'Unauthorized' exception message, using my MSA account I get 'Forbidden' exception. I'm guessing it's related to these two different accounts, but I can't seem to figure out what exactly the issue is.Steve
You can also try to specify the tenant id to GetAccessTokenAsync.juunas

2 Answers

3
votes

Locally development within Visual Studio using Azure Key Vault service depends on "Azure Services Authentication Extension" https://marketplace.visualstudio.com/items?itemName=chrismann.MicrosoftVisualStudioAsalExtension#overview which is integrated into Visual Studio since version 15.6 onward and don't need to be installed separately.

Check Visual Studio/Tools/Options/Azure Services Authentication to see which account you use to auth within Azure services and set appropriate.

Also, in application install NuGet packet Microsoft.Azure.Services.AppAuthentication.

0
votes

You might be missing out on this step to grant access to your account. Please take a look at this article for detailed walk through -

Use Key Vault from App Service with Managed Service Identity

enter image description here

UPDATE

As discussed in comments below, apart from Secret management permissions access to key vault, please do make sure that you give at least "GET" permission under "Key Management Operations" as your error stack trace shows an issue while executing GetKeyAsync method. Please note that you may need additional permissions apart from "GET" related to key operations, just in case your code is doing something additional like listing the keys or creating, updating, deleting etc.

at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.GetKeyAsync(IKeyVaultClient operations, String keyIdentifier, CancellationToken cancellationToken)

enter image description here