Reputation: 2416
What does the connectionString attribute look like in AzureKeyVault ConfigurationBuilder?
I'm trying to use the new AzureKeyVault ConfigurationBuilder in a .NET 4.7.1 MVC app and keep getting configuration errors when I run it locally:
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: An error occurred loading a configuration file: One or more errors occurred.
Source Error:
Line 13: </builders>
Line 14: </configBuilders>
Line 15: <appSettings configBuilders="AzureKeyVault">
Line 16: <add key="webpages:Version" value="3.0.0.0" />
Line 17: <add key="webpages:Enabled" value="false" />
After creating a new .NET Framework 4.7.1 ASP.NET MVC web project, I added a connected service to Azure Key Vault and targeted an existing vault. My web.config then looked included this section:
<configuration>
<configSections>
<section name="configBuilders" type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="false" requirePermission="false" />
</configSections>
<configBuilders>
<builders>
<add name="AzureKeyVault" vaultName="my-test-keyvault" connectionString="" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=1.0.0.0, Culture=neutral" vaultUri="https://WebApplication1-12-kv.vault.azure.net" />
</builders>
</configBuilders>
<appSettings configBuilders="AzureKeyVault">
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.7.1" />
<httpRuntime targetFramework="4.7.1" />
I've been scouring the internet trying to find examples of what the connectionString should look like but I haven't had any success. The documentation states:
The vaultName is required. The other attributes allow you some manual control about which vault to connect to, but are only necessary if the application is not running in an environment that works magically with Microsoft.Azure.Services.AppAuthentication. The Azure Services Authentication library is used to automatically pick up connection information from the execution environment if possible, but you can override that feature by providing a connection string instead.
Any recommendations or pointers here? Thanks.
Upvotes: 3
Views: 2102
Answers (2)
Reputation: 2416
The documentation linked in the linked article (Announcing .NET 4.7.1 Tools for the Cloud) is out of date. There is no clientId and clientSecret properties on the AzureKeyVaultConfigBuilder class.
There is a connectionString property however. Details on how to build that connection string when running locally are in this article: Service-to-service authentication to Azure Key Vault using .NET.
This is the method that worked for me:
RunAs=App;AppId={AppId};TenantId={TenantId};AppKey={ClientSecret}
All three of these values (AppId, TenantId and AppKey) are available in the application's AD entry in Azure.
Upvotes: 5
Reputation: 20107
I could reproduce your problem in local with the following code:
<add name="AzureKeyVault"
mode="Strict"
vaultName="MyVaultName"
type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure" />
If your application is running on an Azure service that has , this is all you need to read configuration from the vault and add it to your application. Conversely, if you are not running on a service with MSI, you can still use the vault by adding the following attributes:
clientId – the Azure Active Directory application key that has access to your key vault.
clientSecret – the Azure Active Directory application secret that corresponds to the clientId
I test with following code and it works well, you could refer to it.
<configSections>
<section name="configBuilders" type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="false" requirePermission="false" />
</configSections>
<configBuilders>
<builders>
<add name="KeyVault" mode="Strict" prefix="conn_" stripPrefix="true"
clientId="MyId" clientSecret="mySecret" vaultName="MyVault"
type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure" />
</builders>
</configBuilders>
For more details, you could refer to this article.
Upvotes: 2
Related Questions
- Azure Service Bus Connection String in KeyVault
- How to properly store connection strings in Azure?
- Azure Connection Strings
- How to get connection string out of Azure KeyVault?
- How to use Azure KeyVault reference for connectionString in an App
- asp.net core 2.2 is not using ConnectionString set in WebApp Azure config
- Storing SQL Database Connection Strings in Azure Key Vault
- asp.net core mvc connection string
- Where do I stick my azure connection string
- What is the item of 'connection strings' for on azure? And how could I add it?