Exception while connecting to KeyVault from Azure VM

0
votes

I am running my applictaion from Azure VM and trying to connect with KeyVault. But I am getting below exception

Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/1e465dc8-5f36-4ab9-9a49-57cbfdcfdf9a. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.

Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/1e465dc8-5f36-4ab9-9a49-57cbfdcfdf9a. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.

Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/1e465dc8-5f36-4ab9-9a49-57cbfdcfdf9a. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Exception for Visual Studio token provider Microsoft.Asal.TokenService.exe : TS003: Error, TS001: This account 'username' needs re-authentication. Please go to Tools->Azure Services Authentication, and re-authenticate the account you want to use.

Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/1e465dc8-5f36-4ab9-9a49-57cbfdcfdf9a. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command, operable program or batch file.

I have checked the prerequisite such as - 1. created the KeyVault in the same resource group of the VM and added 2 secrets. 2. checked that the VM is registered in Active Directory and that it has a system assigned identity. 3. added access policy allowing read and list secrets to the VM.

Here is the code, What I am missing

public void ConfigureServices(IServiceCollection services)
        {
         services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

            var azureServiceTokenProvider = new AzureServiceTokenProvider();
            var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

            var secret = keyVaultClient.GetSecretAsync($"https://vaultname.vault.azure.net/Secrets/connString").Result.Value;
3
azureazure-keyvaultazure-managed-identity

3 Answers

1
votes

Errors are indicating authentication issue, so 2 things to validate in order;

  • Confirm the VM can query Azure Metadata service 
Invoke-RestMethod -Headers @{"Metadata"="true"} -URI "http://169.254.169.254/metadata/instance/compute/vmId?api-version=2017-08-01&format=text" -Method get`

Image 1

If above query is successful then check the Identity API on the metadata service but if it fails then there is a communication issue between VM and Azure environment.

  • Confirm the VM can query the Identity API of Azure Metadata service
Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -Headers @{Metadata="true"}

Image 2

If above query is successful then there is nothing wrong with MSI.

0
votes

The problem was with the nuget version on Microsoft.Azure.Services.AppAuthentication. Version 1.0.3 solves this.

0
votes

I'm using nuget package Azure.Identity version 1.3 and got the same issue TS003, TS001, so I tried to downgrade version to 1.2.2 and it works