Can't access KeyVault when running in Visual Studio

2
votes

I have an App Service that I am developing that needs to access a KeyVault. After getting some assistance from some people on Stackoverflow, I got it to the point where the App Service can access the KeyVault while it is running in Azure. The problem I am facing now is I cannot access the KeyVault when running the application locally in Visual Studio. I get the following exception when attempting to retrieve a secret.

SharedTokenCacheCredential authentication failed: AADSTS9002332: Application 'MY_APPLICATION_ID'(Azure Key Vault) is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request. Trace ID: 4252753a-5e28-4261-ad85-d773468c1b00 Correlation ID: 013df9c1-16ef-46f6-a3f5-839bb52cbdcc Timestamp: 2021-04-22 05:19:12Z

I am signed into Visual Studio using my MSDN account. I also have my KeyVault created in my MSDN instance of Azure. Futhermore, the KeyVault has an access policy for my MSDN user.

enter image description here

Based on the error, I am guessing I somehow also need to configure KeyVault to allow Azure Active Directory users AND whatever my MSDN account user is considered, but I have no idea how to do this, or if this is even the correct solution. It seems counterintuitive that I would have an access policy created, yet still be denied access.

I also don't understand where it is configured for Azure Active Directory users. Looking at the screenshot "Vault Access Policy" is selected. Wouldn't this mean the access policies should be used?

Can someone point me in the right direction on resolving this?

Edit: I tried the steps listed Here. Now I get this error.

Service request failed. Status: 403 (Forbidden)

Content: {"error":{"code":"Forbidden","message":"Access denied to first party service.\r\nCaller: name=from-infra;tid=GUID;appid=MY_APP_ID ;iss=https://sts.windows.net/GUID/\r\nVault: VAULT_NAME;location=westus","innererror":{"code":"AccessDenied"}}}

Why is accessed denied, despite an access policy existing that specifically allows access?

Edit 2: My Code

        var kvUri = "https://" + Properties.Settings.Default.KeyVaultName + ".vault.azure.net";
        var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ExcludeSharedTokenCacheCredential = true });
        var client = new SecretClient(new Uri(kvUri), credential);
        var result = client.GetSecret(secret);
2
azureazure-keyvault
For me I added an application under Azure AD -> Enterprise Applications -> Add Application and then use its credentials in my application.Tore Nestenius

2 Answers

2
votes

Set AZURE_TENANT_ID environment variable in a project debug settings to your Azure tenant ID (GUID)

0
votes

Update:

This is your error:

enter image description here

And this is my code:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using System;
using System.Threading;

namespace ConsoleApp59
{
    class Program
    {
        static void Main(string[] args)
        {
            var kvUri = "https://" + "testbowman" + ".vault.azure.net";
            string secret = "testsecret";
            var credential = new DefaultAzureCredential();
            var client = new SecretClient(new Uri(kvUri), credential);
            var result = client.GetSecret(secret);
            var value = result.Value.Value;
            Console.WriteLine(value);
            Console.ReadLine();
        }
    }
}

Please also check your firewall and virtual network:

enter image description here

If your keyvault is in VNET or you have some firewall strategies, then it will also cause you can't not access the secret of keyvault.

And by the way, default credential is actually not a single credential, it just 'foreach' all the credential by below steps:

  1. A service principal configured by environment variables.
  2. An Azure managed identity.
  3. On Windows only: a user who has signed in with a Microsoft application, such as Visual Studio.
  4. The user currently signed in to Visual Studio Code.
  5. The identity currently logged in to the Azure CLI.

So always, we use default credential and it will works both on local and azure. But sometimes it will cause problem. At that time, we need to specify the specific credential(Just change the credential is ok, it is not a difficult step. On local, you can use VisualStudioCredential, VisualStudioCodeCredential, AzureCliCredential and on azure you can use ManagedIdentityCredential. Just change the credential is ok, no other steps).

Original Answer:

1, The access policy may not work immediately. Maybe you can wait for minutes and test again.

2, This problem maybe comes from the credential the code get is wrong.(So please show your code). Sometimes, default credential will get the wrong credential. You need to give specific one. Such as AzureCliCredential, VisualStudioCodeCredential, ManagedIdentityCredential and so on.

This is the doc:

https://docs.microsoft.com/en-us/dotnet/api/azure.core.tokencredential?view=azure-dotnet

3, please make sure the user is in the subcription. Guest users seem to be unable to access even if they are granted access rights.

Any way, please show the code if you can.