How can I give access to key vault to a user assigned identity?

Question

Is it possible to give access to a key vault to a user assigned identity?

In Managed Identities from the azure portal I created a new Identity "KeyVaultIdentity", which I assigned it to a web application (in Identity, user assigned identities tab). In access policies from key vault I added the new created "KeyVaultIdentity" identity and offered permissions to access the secrets.

I am using the following code to access the key vault:

try
        {
            /* The below 4 lines of code shows you how to use AppAuthentication library to fetch secrets from your Key Vault*/
            AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
            KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
            var secret = await keyVaultClient.GetSecretAsync("https://play9VaultDemo.vault.azure.net/secrets/AppSecret")
                .ConfigureAwait(false);
            Message = secret.Value;

            /* The below do while logic is to handle throttling errors thrown by Azure Key Vault. It shows how to do exponential backoff which is the recommended client side throttling*/
            do
            {
                long waitTime = Math.Min(getWaitTime(retries), 2000000);
                secret = await keyVaultClient.GetSecretAsync("https://play9VaultDemo.vault.azure.net/secrets/AppSecret")
                    .ConfigureAwait(false);
                retry = false;
            }
            while (retry && (retries++ < 10));
        }
        /// <exception cref="KeyVaultErrorException">
        /// Thrown when the operation returned an invalid status code
        /// </exception>
        catch (KeyVaultErrorException keyVaultException)
        {
            Message = keyVaultException.Message;
            if ((int)keyVaultException.Response.StatusCode == 429)
                retry = true;
        }

But it says that access is forbidden when I try to access the secret. However if in Key Vault I give access to the System Assigned Identity of the Web application, I can access the secret,

Do you have any idea how can I make this work with the user assigned identity?

Joey Cai Joey Cai · Accepted Answer · 2019-03-12T07:33:24

Do you have any idea how can I make this work with the user assigned identity?

You could follow the steps from How to use managed identities for App Service and Azure Functions.

Here is the steps:

1.In webapp Identity, click User Assigned(preview) and add your user-assigned managed identity.

2.Adding the user-assigned type and a cotells Azure to create and manage the identity for your application using an Azure Resource Manager template.

"identity": {
        "type": "UserAssigned",
        "userAssignedIdentities": {
            "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', variables('identityName'))]": {}
        }
    }

3.If you request a token to Key Vault, you need to make sure you have added an access policy that includes your application's identity. Otherwise, your calls to Key Vault will be rejected, even if they include the token.

4.Using the Microsoft.Azure.Services.AppAuthentication library for .NET to get secret.

var azureServiceTokenProvider = new AzureServiceTokenProvider();
            var keyVaultClient = new KeyVaultClient(
               new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

            var secret = keyVaultClient.GetSecretAsync("https://yourkeyvaultname.vault.azure.net/secrets/secretname").Result.Value;

5.The output is as below:

How can I give access to key vault to a user assigned identity?

3 Answers