Deploying Container Instance with MSI and containers deployed to it cannot read keyvault secrets

1
votes

I followed this guide from Microsoft: https://docs.microsoft.com/en-us/azure/container-instances/container-instances-managed-identity

All that works fine, but when I want to deploy with a ASP.NET Core 2.1 inside a container, where in my code I try to read the KeyVault secrets it does not work. It will work without deploying it inside a Docker container though.

But the goal is to deploy the project into a docker container, register it into Azure Container Registry and then create a Container Instance with containers that can read keyvault secrets.

The error I get is typically what I would get when trying to read secrets from Keyvaults inside a running .NET core Docker container:

AzureServiceTokenProviderException: Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/. Exception Message: Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. /bin/bash: az: No such file or directory.

Any guide to get Docker containers read from Azure Keyvault secrets?

The source code for reading a keyvault secrets:

  public static async Task<string> GetSecret(string baseUrl, string keyName)
    {
        AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();

        using (var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)))
        {
            var secret = await keyVaultClient.GetSecretAsync(baseUrl, keyName).ConfigureAwait(false);
            return secret
        }
    }
2
c#azuredockerasp.net-corecontainers
Do you use the MSI in Azure Container Instance or in just Docker Container? - Charles Xu
MSI in Azure Container Instance. But should it not go well if you add a docker image inside the Container Instance? or is it anything else that I need to do? - Khiem-Kim Ho Xuan
You mean run the Docker container inside the Container Instance? - Charles Xu
Yes. Based on also following this guide: docs.microsoft.com/en-us/azure/container-instances/… - Khiem-Kim Ho Xuan
The link you provide shows just the Azure Container Instance. One thing should be pointed out: the MSI just provide for the Azure Service. If you run the Docker container nest in the Container Instance, it would not work in the Docker container. - Charles Xu

2 Answers

0
votes

First of all, you should know managed identities is just the feather of Azure Services. Also, even if for Azure Services, not all the service are supported for the feather. You can know which Azure service support the managed identities here.

And you can take a look that how does the MSI work for Azure Service here. So it seems that you cannot use the MSI for the Docker container which does not belong to Azure inside the Azure Container Instance. The error also shows that:

Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.

But I suggest you can try to use the Service Principal to read the key stored in KeyVault or access other Azure Service.

0
votes

Seems that I was not aware using AppAuthentication NuGet 1.1.0-preview produced the error. Use 1.0.3 and everything works fine inside azure container instance with a container image running :)