Is there any way to get a key vault secret using the IIS app pool identity to authenticate?
The typical solution for reading values from Azure KeyVault is
AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();
keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
result = await keyVaultClient.GetSecretAsync(secretUrl).ConfigureAwait(false);
While this work under visual studio, and even for a Windows/console application, it doesn't work for an IIS application - even when the app pool is configured with an identity that would otherwise work.
All the solutions I've found to date require a service principle and supplying its id and secret which - and it's storing secrets locally that I'm trying to avoid.
Example: https://blog.bitscry.com/2019/02/13/using-azure-key-vault-in-a-console-application/
var keyClient = new KeyVaultClient(async (authority, resource, scope) => {
var adCredential = new ClientCredential(clientId, clientSecret);
var authenticationContext = new AuthenticationContext(authority, null);
return (await authenticationContext.AcquireTokenAsync(resource, adCredential)).AccessToken;
});
