CODEWITHSUNDEEP
azureiisazure-web-app-serviceazure-keyvault
user3911247
user3911247

Reputation: 51

Fetching access token for keyvault

I have published a web app locally and hooked it up to IIS.

When I try to navigate to the site it fails at startup with the following error when trying to access the keyvault:

Application startup exception:

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47. Exception Message: Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47. Exception Message: Tried to get token using Managed Service Identity.

Unable to connect to the Managed Service Identity (MSI) endpoint.

Please check that you are running on an Azure resource that has MSI setup.

Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47.

Exception Message: Tried to get token using Visual Studio.

Access token could not be acquired. Visual Studio Token provider file not found at "C:\WINDOWS\system32\config\systemprofile\AppData\Local.IdentityService\AzureServiceAuth\tokenprovider.json"

Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47. config (most recent call last):
File "runpy.py", line 193, in _run_module_as_main
File "runpy.py", line 85, in _run_code
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-qw7dqhq0\azure-cli\azure\cli__main__.py", line 32, in File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-qw7dqhq0\azure-cli-core\azure\cli\core__init__.py", line 511, in get_default_cli
File "C:\Users\VSSADM~1\AppData\Local\Temp\pip-install-qw7dqhq0\azure-cli-core\azure\cli\core__init__.py", line 34, in init
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\knack\cli.py", line 82, in init self.config = config_cls(config_dir=config_dir, config_env_var_prefix=config_env_var_prefix) File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\site-packages\knack\config.py", line 38, in init ensure_dir(config_dir)
File "C:\Program Files (x86)\Microsoft SDKs\Azure\CLI2\Lib\sitepackages\knack\util.py", line 38, in ensure_dir os.makedirs(d)
File "os.py", line 220, in makedirs PermissionError: [WinError 5] Access is denied: 'C:\WINDOWS\system32\config\systemprofile\.azure'

Upvotes: 5

Views: 12299

Answers (3)

felickz
felickz

Reputation: 4461

If you are attempting to use user based AAD authentication while running full IIS localhost, you must follow these instructions to configure your user profile to run the IIS app pool:

Can't retrieve tokens when debugging app in IIS

  • Configure the Application Pool for the web app to run as your current user account. See more information here
  • Configure "setProfileEnvironment" to "True". See more information here.
    • Go to %windir%\System32\inetsrv\config\applicationHost.config
    • Search for "setProfileEnvironment". If it's set to "False", change it to "True". If it's not present, add it as an attribute to the processModel element (/configuration/system.applicationHost/applicationPools/applicationPoolDefaults/processModel/@setProfileEnvironment), and set it to "True".

Once this is configured, use the other tips found here to either login to AzCli or VisualStudio App Authentication.

Also FYI - if you have users elevating to admin with a separate user account to run Visual Studio / IIS -- they must also elevate their command prompt with the same user when authenticating to the CLI

Upvotes: 8

Liam
Liam

Reputation: 5476

I had this problem and finally found that I wasn't logged in to Azure locally.

What fixed the issue for me was downloading the Azure CLI to my machine and running 

az login

and just follow the resultant pages to login in. Run your app and you should find it connects now.

Upvotes: 13

Joey Cai
Joey Cai

Reputation: 20067

As mentioned in this document Managed Service Indentity, the managed service identity only works inside the Azure environment, and only in the App Service deployment in which you configured it.

Note: the MSI does not work with App Service deployment slot at this time.

Before coding, we need to setup something in Azure:

1.Enable Managed Service Identity on the Web App

2.Allow the generated Service Principal access to the Production Key Vault

Here is my code to get token and it works well:

var azureServiceTokenProvider = new AzureServiceTokenProvider();
string token = await azureServiceTokenProvider.GetAccessTokenAsync("https://vault.azure.net");

For more details about how to get Azure KeyVault with MSI in Asp.net Core, you could refer to this article.

Upvotes: 0

Related Questions