I have an App Service that I am developing that needs to access a KeyVault. After getting some assistance from some people on Stackoverflow, I got it to the point where the App Service can access the KeyVault while it is running in Azure. The problem I am facing now is I cannot access the KeyVault when running the application locally in Visual Studio. I get the following exception when attempting to retrieve a secret.
SharedTokenCacheCredential authentication failed: AADSTS9002332: Application 'MY_APPLICATION_ID'(Azure Key Vault) is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request. Trace ID: 4252753a-5e28-4261-ad85-d773468c1b00 Correlation ID: 013df9c1-16ef-46f6-a3f5-839bb52cbdcc Timestamp: 2021-04-22 05:19:12Z
I am signed into Visual Studio using my MSDN account. I also have my KeyVault created in my MSDN instance of Azure. Futhermore, the KeyVault has an access policy for my MSDN user.
Based on the error, I am guessing I somehow also need to configure KeyVault to allow Azure Active Directory users AND whatever my MSDN account user is considered, but I have no idea how to do this, or if this is even the correct solution. It seems counterintuitive that I would have an access policy created, yet still be denied access.
I also don't understand where it is configured for Azure Active Directory users. Looking at the screenshot "Vault Access Policy" is selected. Wouldn't this mean the access policies should be used?
Can someone point me in the right direction on resolving this?
Edit: I tried the steps listed Here. Now I get this error.
Service request failed. Status: 403 (Forbidden)
Content: {"error":{"code":"Forbidden","message":"Access denied to first party service.\r\nCaller: name=from-infra;tid=GUID;appid=MY_APP_ID ;iss=https://sts.windows.net/GUID/\r\nVault: VAULT_NAME;location=westus","innererror":{"code":"AccessDenied"}}}
Why is accessed denied, despite an access policy existing that specifically allows access?
Edit 2: My Code
var kvUri = "https://" + Properties.Settings.Default.KeyVaultName + ".vault.azure.net";
var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ExcludeSharedTokenCacheCredential = true });
var client = new SecretClient(new Uri(kvUri), credential);
var result = client.GetSecret(secret);