get registered azure app to access key vault

0
votes

I am having trouble getting my registered azure app (C# .Net Core application running on a user's machine) access to its client secret stored in an azure key vault. The app has been added to an azure ad group that has been given an access policy to the key vault. I feel like this should work, but it doesn't, it returns an "authentication unavailable, no managed identity endpoint found":

var creds = new ManagedIdentityCredential(clientId);
SecretClient secretClient = new SecretClient(new Uri(url), creds);

this block of code works, but only because my user account has an access policy for the key vault as well:

SecretClient secretClient = new SecretClient(new Uri(url), new DefaultAzureCredential());

Is there another step I am missing to set up my registered app or is there another method for establishing credentials using the appid/clientid?

1
c#azureazure-keyvault
I have also tried using the Object Id for the azure AD group and the Object Id of the app in place of the clientId with no luck - r.schmitt
I don't see why you "feel like this should work" - generally you should not be able to elevate user's permissions by just running an app under they account. (I suspect you got idea of app registration backward - code can represent itself as identity for that registered app because it knows the secret, not the other way around). - Alexei Levenkov
so i can't access the secret stored in the key vault without knowing the secret in advance to authenticate? - r.schmitt

1 Answers

0
votes

As you have understood, if you don't have the secret, you won't be able to finish the authentication. And without the authentication, you cannot access key vault to get the client secret.

Using a client secret for authentication is not secure and should only be used for testing purposes. The recommended way is to use a client certificate. See this tutorial to learn how to set up a service principal to authenticate to key vault and retrieve a secret.

This third party article is related to how to use client id and client secret to authenticate to the key vault. You can see that we need to know the client secret in advance.