Sample Program for Azure Key Vault Client Library for .NET Tutorial fails with Azure.Identity.AuthenticationFailedException

0
votes

As part of my effort to enhance my ASP.NET Core 3 web app with the ability to use Azure Blob storage, I need to understand the azure key vault.

So I'm following Quickstart: Azure Key Vault client library for .NET (SDK v4).

The sample code here demonstrates techniques for storing and fetching secrets to/from my key vault. Are these techniques appropriate for use inside of Kubernetes resident ASP.NET Core 3 Kestrel Web Apps? If not, please guide me to some appropriate sample code for fetching and storing secrets.

I enhance the sample console application to print the keyValutName retrieved from the environment variable and it is indeed correct.

I get the following error:

dotnet run
Creating a secret in kv-temp called 'mySecret' with the value '3.14159' ...Unhandled exception. Azure.Identity.AuthenticationFailedException: SharedTokenCacheCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details.You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details.  Original exception: AADSTS70002: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.

What am I doing wrong? The error says to modify the configuration in application registration portal... This seems contrary to what I read in 'App identity and security principles' where the preferred approach is to NOT register the application.

Should I be registering this console application (and my ASP.NETCore Web App) in the azure portal? Should I be creating a principle?

Fri Oct 09 2020 Update I followed Allen's instructions and did the git clone and edited the source as per Allen's instructions and I'm getting this (similar) error:

MsalServiceException: AADSTS70002: The client does not exist or is not 
enabled for consumers. If you are the application developer, configure a new 
application through the App Registrations in the Azure Portal at 
https://go.microsoft.com/fwlink/?linkid=2083908.
Trace ID: 4700fefb-af1b-4566-bba8-46ccdbac6a00
Correlation ID: 332949b6-7490-44b3-87e6-11163c3a70ec
Timestamp: 2020-10-09 13:49:26Z

Thank you

Siegfried

1
azureazure-keyvault
Hi did you have a chance to try my suggestion?Allen Wu
Do you still need help on this? Any updates? If my answer is helpful, you can accept it as answer. Thank you.Allen Wu
Yes, I would like help. I responded to your answer in my Oct 9 update. I do not understand why the error message mentions the App Registrations because this is not mentioned in the quickstart. Does it make sense to register a console application running on my desktop? The link in the error message takes me to the AAD app registration page and is prompting for a redirect URL! This is a console app, not a webapp. Do keyvaults use AAD? It is also prompting for a user facing display name. Where/how is this used? I don't se it in the quick-start.user3477493

1 Answers

0
votes

If you are using .NET Core 3.1 SDK or later, I think these techniques apply to your application. See Prerequisites.

Based on Authenticate and create a client, The sample console application is using Default Azure Credential Authentication.

So you don't need to create a service principal here. The 'DefaultAzureCredential()' class will read your Azure credential.

I didn't repro your issue. But here are my simple steps to run it.

Download the entire console app from Getting Started with Azure Key Vault with .NET Core.

Use Visual Studio to open the project and then sign in VS with your Azure account. Make sure this account has access to your Azure Key Vault.

Replace string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME"); with string keyVaultName = "{your own key vault name}"; {your own key vault name} should be an existing key vault which you have created.

Then you should be able to run it successfully. The DefaultAzureCredential() will read your Azure credential in VS and it doesn't require you to create a service principal.