Azure KeyVault Secret Get Throws Authentication Error

0
votes

I'm setting up a KeyVault to remove secrets from my .NET Azure WebApp and pass CredScan and everything is hooked up correctly as far as I can tell.

The KeyVault exists in the same resource group as the app and has the required secrets. The App Service has explicit read-permissions set in the KeyVault's Access Policies. And all the correct parameters are used to create the API client in the code, following the documentation.

However when I use the standard API call to actually access a secret using the client, i.e.

SecretClient client = new SecretClient(keyVaultURI, new DefaultAzureCredential());
string secret = client.GetSecret(secretName).Value.Value;

I get the following error:

DefaultAzureCredential failed to retrieve a token from the included credentials.\r\nEnvironmentCredential authentication unavailable. Environment variables are not fully configured.\r\nManagedIdentityCredential authentication unavailable, no managed identity endpoint found.\r\nSharedTokenCacheCredential authentication unavailable. Token acquisition failed for user . Ensure that you have authenticated with a developer tool that supports Azure single sign on.

I'm guessing there must be some required config step or setting that I am unaware of.

1
c#azure-keyvault
Have you configured MSI for your Azure web app : docs.microsoft.com/en-us/azure/app-service/…Jim Xu
@JimXu yes, but this was the root of the problem. The Access Policy I had setup in the KeyVault in Azure Portal was not for the correct AAD Identity. Following the standard MI setup steps for the correct App Service was sufficient to get it working.user3776749

1 Answers

5
votes

I summary the whole solution as below.

If you want to DefaultAzureCredential to access Azure key vault in Azure app service, you need to enable MSI and configure the right access policy for you MSI in Azure key vault. For more details, please refer to the document

The detailed steps are as below.

a. Enable system-assigned MSI

  • Scroll down to the Settings group in the left navigation.
  • Select Identity.
  • Within the System assigned tab, switch Status to On. Click Save. enter image description here

b. Configure access policy

  • Search for your Key Vault in “Search Resources dialog box” in Azure Portal.
  • Select "Overview", and click on Access policies
  • Click on "Add New", select "Secret Management" from the dropdown for "Configure from template"
  • Click on "Select Principal", and in the search field enter the Object ID of you web app MSI you created earlier. Select the web app in the result list and click "Select".
  • Click on "OK" to add the new Access Policy, then click "Save" to save the Access Policies