I am having a heck of a time configuring .Net Core's DataProtectionProvider to store keys in an Azure Key Vault. The issue is that I can't seem to create a proper Blob URI, or at least I think that's the issue since everything else seems to be in order and yet I'm still getting Unauthorized.
In Azure I have registered an application and client secret, created an vault and a key, and an access policy giving pretty much all permissions to the application.
Here's the relevant part of my ConfigureServices:
string uri = "https://{vault-name}.vault.azure.net/keys/{vault-name}/{key}" + "se=2020-01-01&sp=r&spr=https&sv=2018-11-09&sr=b&sig={sig}";
string keyIdentifier = "https://{vault-name}.vault.azure.net/keys/{vault-name}";
string clientId = "{application-id";
string clientSecret = "{client-secret}";
services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_3_0);
services.AddDataProtection()
.PersistKeysToAzureBlobStorage(new Uri(uri)) // requires Microsoft.AspNetCore.DataProtection.AzureStorage
.ProtectKeysWithAzureKeyVault(keyIdentifier, clientId, clientSecret); //requires Microsoft.AspNetCore.DataProtection.AzureKeyVault
services.AddControllers();
I'm hung up on how to generate the sas. The documentation seems to suggest that somehow this relates to a storage account, but I can't see any obvious way to relate a storage account to a key vault. So I've tried a few different things from the Azure CLI but nothing seems to get my past authentication.
Any help would be much appreciated.
