.NET Core 3.1 Docker in Visual Studio accessing Azure Key Vault

2
votes

I am trying to run a .NET Core 3.1 Application in Docker locally in Visual Studio. The application needs to access a Azure Key Vault.

When I run the application I get the following error:

One or more errors occurred. (Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/53d4d1e1-3360-4735-8aad-21c6155f528a. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.

Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/53d4d1e1-3360-4735-8aad-21c6155f528a. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. Connection refused

Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/53d4d1e1-3360-4735-8aad-21c6155f528a. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set.

Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/53d4d1e1-3360-4735-8aad-21c6155f528a. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. /bin/bash: az: No such file or directory

Note: it works fine using IIS Express! Please help! :D

2
visual-studioazuredockerazure-keyvault
Where is the code? Also cleanup the message so that we can read them - a big block of text is hard to read.John Hanley
What do you mean sorry? The code is running in the docker container locally on my machine...?user3560464
I believe you need to be running VS in a user context that has access to the Key Vault so that it can acquire a token.Matt Small
The accepted answer is insecure because it has you store sensitive information in a file that should be checked in to source control (and it kind of defeats the purpose of using Key Vault in the first place); instead I've posted an alternate answer below that you should consider.BrainSlugs83

2 Answers

2
votes

Please set the required environment variables when using DefaultAzureCredential to authenticate Azure key vault.

In this scenario, it means to set the environment variables in Dockerfile.

ENV AZURE_CLIENT_ID=<Your AZURE CLIENT ID>
ENV AZURE_CLIENT_SECRET=<Your CLIENT SECRET>
ENV AZURE_TENANT_ID=<Your TENANT ID>
0
votes

In an attempt to avoid the accepted answer (because of obvious security issues), and to simplify and automate E. Staal's answer (on a duplicate question), I came up with this:

  1. Update your .gitignore file, by adding the following line to the bottom of it:

    appsettings.local.json

  2. Right click on the project in Solution Explorer, and click on Properties; in the Build Events tab, find the Pre-build event command line text box and add the following code:

    cd /d "$(ProjectDir)"
if exist "appsettings.local.json" del "appsettings.local.json"
if "$(ConfigurationName)" == "Debug" (
az account get-access-token  --resource=https://vault.azure.net > appsettings.local.json
)

  3. In your launchSettings.json (or using the Visual Editor under project settings) configure the following values:

    {
  "profiles": {
    // ...
    "Docker": {
      "commandName": "Docker",
      "environmentVariables": {
        "DOTNET_ENVIRONMENT": "Development",
        "AZURE_TENANT_ID": "<YOUR-AZURE-TENANT-ID-HERE>"
      }
    }
  }
}

  4. In your Program.cs file find the CreateHostBuilder method and update the ConfigureAppConfiguration block accordingly -- here is mine as an example:

    Host.CreateDefaultBuilder(args).ConfigureAppConfiguration
(
    (ctx, cfg) =>
    {
        if (ctx.HostingEnvironment.IsDevelopment())
        {
            cfg.AddJsonFile("appsettings.local.json", true);
        }

        var builtConfig = cfg.Build();
        var keyVault = builtConfig["KeyVault"];
        if (!string.IsNullOrWhiteSpace(keyVault))
        {
            var accessToken = builtConfig["accessToken"];
            cfg.AddAzureKeyVault
            (
                $"https://{keyVault}.vault.azure.net/",
                new KeyVaultClient
                (
                    string.IsNullOrWhiteSpace(accessToken)
                    ? new KeyVaultClient.AuthenticationCallback
                    (
                        new AzureServiceTokenProvider().KeyVaultTokenCallback
                    )
                    : (x, y, z) => Task.FromResult(accessToken)
                ),
                new DefaultKeyVaultSecretManager()
            );
        }
    }
)

If this still doesn't work, verify that az login has been performed and that az account get-access-token --resource=https://vault.azure.net works correctly for you.