Connection to Azure Vault using MSI

Question

I am trying to connect to my azure vault from a console application with using MSI

For this vault i have added my user as the Selected Principle
the code i am using to connect is

var azureServiceTokenProvider = new AzureServiceTokenProvider();

var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

var secret = await keyVaultClient.GetSecretAsync("https://<vaultname>.vault.azure.net/secrets/<SecretName>").ConfigureAwait(false);

I get the following exception

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority

Console app... running in Azure on a VM with the automagically generated service principal added to Key Vault's Access Policies? What do you mean by _i have added my user as the Selected Principle_, that's not how it works, the VM has its own SPN, use it. — evilSnobu, Feb 28 '18 at 10:40
I mean i added my AD user as a principle when setting up access policies in the azure vault — MicroMan, Feb 28 '18 at 10:42
What do you mean _locally_? The whole point of MSI is that it's implemented in the Azure resource. There's no mechanism in place for your **local** dev machine to acquire an access token. — evilSnobu, Feb 28 '18 at 10:46
Do i need to register my console app in azure? and use the applicationId and appSecret in the instance of the KeyVaultClient? — MicroMan, Feb 28 '18 at 11:00
How can i use vault to get secrets from a windows forms app or a console app? — MicroMan, Feb 28 '18 at 11:02
Yes, you need to register your app with Azure AD to get a client_id and client_secret. You'll then use those to acquire an access token for your vault resource. — evilSnobu, Feb 28 '18 at 11:47

evilSnobu · Accepted Answer · 2018-08-27T22:38:36.937

Enable Managed Service Identity in the Configuration blade under your virtual machine.

Search for NameOfYourVM service principal and add it to your Key Vault under Access Policies. Add key/secret/certificate permissions.

On your Azure VM, run the console app.

class Program
{
    // Target C# 7.1+ in your .csproj for async Main
    static async Task Main()
    {
        var azureServiceTokenProvider = new AzureServiceTokenProvider();

        var keyVaultClient = new KeyVaultClient(
              new KeyVaultClient.AuthenticationCallback(
                    azureServiceTokenProvider.KeyVaultTokenCallback));

        var secret = await keyVaultClient.GetSecretAsync(
              "https://VAULT-NAME.vault.azure.net/secrets/SECRET-NAME");

        Console.WriteLine(secret.Value);
        Console.ReadLine();
    }
}

To run locally, create your very own Azure AD application registration (Web App/Web API type to make it a confidential client), add it to Key Vault and use its client_id and client_secret when acquiring the access token —
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application#gettoken

As Varun mentioned in the comments, there's now a better way to get an access token when running locally without exposing a service principal —

https://docs.microsoft.com/en-us/azure/key-vault/service-to-service-authentication#local-development-authentication

AzureServiceTokenProvider allows use of developer Visual Studio identity or Azure CLI for local development. Please do not use Client ID and secret for this. The intent of MSI and AzureServiceTokenProvider is to not have developers deal with explicit credentials. Please refer this to use Visual Studio/ Azure CLI for local development. https://docs.microsoft.com/en-us/azure/key-vault/service-to-service-authentication#local-development-authentication — Varun - MSFT, Aug 27 '18 at 20:34

Snr · Answer 2 · 2018-05-02T11:55:22.537

3

To run locally.

install Azure Cli
Open Windows Powershell
write az login command (it will give an url and code )
Open Url and enter the code which is given with az login

then get the secret value like this

 var secret =  keyVaultClient.GetSecretAsync("https://VAULT-NAME.vault.azure.net/secrets/SECRET-NAME").GetAwaiter().GetResult() ;
     secret.Value; //will be your secret.

edited May 02 '18 at 11:55

answered May 02 '18 at 11:30

Snr

1,102
12
21

score 2 · Answer 3 · answered Mar 22 '19 at 05:37

a correct answer is already given above, here's an additional one :-)

Azure MSI applying with App Service & Vault

Enable System Assigned Managed Identity for your App Service, check Identity section under settings.
Add Policy under Vault
configure your code behind

Connection to Azure Vault using MSI

3 Answers3

Linked