how to access azure key vault for asp.net core dockerize app using managed identity

0
votes

I am creating an asp.net core web app and within Visual studio I don't have any issue on below code while I am trying to fetch azure key vault using managed identity.

public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
            .ConfigureAppConfiguration((context, config) =>
            {
                config.AddAzureKeyVault(new AzureKeyVaultConfigurationOptions
                {
                    Vault = "https://testvaultXYZ.vault.azure.net/",
                    Client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(new AzureServiceTokenProvider().KeyVaultTokenCallback)),
                });
            })
            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder.UseStartup<Startup>();
            });

Now I make this application to run in docker/container now when I am running this application in local container I am getting below error for above code,

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: 'Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxxxx. Exception Message: Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxx. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxxx. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxxxxx. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. /bin/bash: az: No such file or directory

I understand that user is different while running in docker container. What's the solution here?

I saw some solution to get access token using below command,

$Env:ACCESS_TOKEN=(az account get-access-token  --resource=https://testvaultXYZ.vault.azure.net | ConvertFrom-Json).accessToken

but here also getting error like,

Get Token request returned http error: 400 and server response: {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://testvaultXYZ.vault.azure.net was not found in the tenant named XXXXXXX. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant.

2
dockercontainersasp.net-core-webapiazure-keyvaultazure-managed-identity

2 Answers

1
votes

It should be: az account get-access-token --resource=https://vault.azure.net. Then you get the access token you can use :) This is working for me.

1
votes

To use the workaround with get-access-token:

  1. be sure that you're signed in to azure cli, just run the command az account get-access-token ... in terminal and check whether you're able to get the token; do you use correct tenant and subscription?
  2. save the result to environment variable in terminal session
  3. pass this variable to docker run --env KVTOKEN=$Env ... command as an environment variable
  4. don't forget to read this variable in application and pass it to KeyVaultClient constructor:
var token = Environment.GetEnvironmentVariable("KVTOKEN");
KeyVaultClient kvclient = string.IsNullOrEmpty(token) ? new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(new AzureServiceTokenProvider().KeyVaultTokenCallback)) : new KeyVaultClient((authority, resource, scope) => token);