Reputation: 11
Azure Key Vault: Secret not found error
I've created the Key Vault and entered a secret. When I run my services locally using .NET, I am able to retrieve the secret via the key vault. Here's what I did: 1) Created an SSL certificate 2) Used that SSL certificate to create an AD application 3) Created a Service Principle for the above application 4) Gave full key vault access to this application 5) I put the VaultURI, ServicePrincipal.Application ID, and the cert thumbprint in the Web.config file 6) I also uploaded the *.pfx of that cert to my cloud service
When I run my service locally, I am able to retrieve the secret. I have even tried retrieving the secret via powershell and I have been successful. When I deploy my code to Azure, I am unable to retrieve the secret.
It says:
Type : Microsoft.Azure.KeyVault.Models.KeyVaultErrorException, Microsoft.Azure.KeyVault, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35 Message : Secret not found: QSAccounts7126 Source : Microsoft.Azure.KeyVault Help link :
I have spent 3 days looking at it and retesting every possible scenario and haven't figured out what is wrong. Can someone please help in identifying the issue or directing me in the right path for debugging? I even tried publishing the cloud service in debug mode in Azure, and for some reason that did not work either.
Any help you can provide would be greatly appreciated.
private async Task<string> getSecretConnection(string connectionName)
{
var kvName = ConfigurationManager.AppSettings["vaultName"];
var kvClientId = ConfigurationManager.AppSettings["clientId"];
var kvClientThumbprint = ConfigurationManager.AppSettings["clientThumbprint"];
using (keyVaultHelper = new AzureKeyVaultHelper(kvClientId, kvClientThumbprint, kvName))
{
var bundle = await keyVaultHelper.GetAzureKeyVaultSecretAsync(connectionName);
return bundle;
}
public async Task<string> GetAzureKeyVaultSecretAsync(string secretName)
{
var bundle = await this.KvClient.GetSecretAsync(KeyVaultUrl, secretName);
return bundle.Value;
}
This is the code that runs for authentication:
private async Task<string> getAccessTokenFromSPNAsync(string authority, string resource, string scope)
{
//clientID and clientSecret are obtained by registering
//the application in Azure AD
var certificate = CertificateHelper.FindCertificateByThumbprint(this.ClientThumbprint);
var assertionCert = new ClientAssertionCertificate(this.ClientId, certificate); //needed for authentication
var clientCredential = new ClientCredential(this.ClientId, this.ClientThumbprint);
var authContext = new AuthenticationContext(authority, TokenCache.DefaultShared);
AuthenticationResult result = await authContext.AcquireTokenAsync(resource, assertionCert);
if (result == null)
{
throw new InvalidOperationException("Failed to obtain the token from Azure AD using certificate");
}
return result.AccessToken;
}
Upvotes: 1
Views: 9378
Answers (2)
Reputation: 24529
Can someone please help in identifying the issue or directing me in the right path for debugging?
It seems that you need to add the WEBSITE_LOAD_CERTIFICATES in your Azure WebApp setting to load certification to your web applications personal certificate store. More details you could refer this blog. We also could remote debug the WebApp to get more detail error information.
Adding an app setting named WEBSITE_LOAD_CERTIFICATES with its value set to the thumbprint of the certificate will make it accessible to your web application. You can have multiple comma-separated thumbprint values or can set this value to “ * “ (without quotes) in which case all your certificates will be loaded to your web applications personal certificate store.
Upvotes: 3
Reputation: 2293
I am not sure that your code is correct.
For example the constructor for ClientCredential takes a Client ID and Client Secret, your code is passing in a Client ID and Certificate Thumbprint.
See the Microsoft article Use Azure Key Vault from a Web Application for example code. I have used the code in this article and it works as expected when deployed to Azure.
Upvotes: 0
Related Questions
- "Key vault reference error" in azure web app configuration setting
- New-AzureRmKeyVault : 'vaultName' does not match expected pattern
- “Key vault access denied” in azure web app configuration setting
- Can't use azure key vault ('New-AzureKeyVault' is not recognized) ('keyvault' is not an azure command)
- Retrieving SSL certificate from Azure key vault to Azure app service
- Unable to access Azure Key vault secret in a powershell script running on Azure Devops
- Cannot add a key to Azure Key Vault in PowerShell - 'Unauthorized'
- Error retrieving key vault secret from Azure Powershell Function app
- Azure certificate in Key Vault not valid for app service
- How to get Azure Key Vault secret using powershell with certificate auth?