Get oauth token for Azure Key Vault

0
votes

Trying to get an oauth2 token for Azure Key Vault, following the tutorial below.

https://docs.microsoft.com/en-us/azure/key-vault/general/tutorial-net-windows-virtual-machine

Within Azure I am getting the oauth2 token endpoint and making the call to get the token, but getting a response "You must sign into your account". Is the token endpoint supposed to be different? if so where is that found? If I am using the correct endpoint, then how to solve this because the whole purpose of using Key Vault is so that you don't have to store your credentials locally

    static string GetToken()
    {
        WebRequest request = WebRequest.Create("https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token");
        request.Headers.Add("Metadata", "true");
        WebResponse response = request.GetResponse();
        return ParseWebResponse(response, "access_token");
    }
1
azureazure-active-directoryazure-keyvaultazure-managed-identity
Did you follow the tutorial you provided ? It shows we need to use WebRequest.Create("http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net") when we want to get the token of key vault with azure VM. Why do you use WebRequest.Create("https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token") ?Hury Shen
Yes @HuryShen I tried that but the URI is unreachable, what is supposed to be used in place of "169.254.169.254" ?Shiloh

1 Answers

2
votes

As per the comments above, you are getting unreachable because you are probably trying to run your code from outside of azure. that endpoint 169.254.169.254 is only routable within azure. This means that sample code has to be running within an azure vm.

You didn't specify where you are trying to access it from, but if you are trying to access from an azure web app the relevant sample would be https://docs.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app

if you are trying to access key vault from outside, you'd probably create an app registration, give it access to keyvault something like this Can't Access Azure Key Vault from desktop console app