Azure Storage Client Side Encryption

Question

I'm trying to test client side encryption with an azure storage account. So far I've created a resource group and put my KeyVault, Registered App on Active Directory and inside my keyVault I've created a secret.

I think im failing to map my secret to my storage account, but I figured that they should work if they are in the same resource group.

$key = "qwertyuiopasdfgh"
$b = [System.Text.Encoding]::UTF8.GetBytes($key)
$enc = [System.Convert]::ToBase64String($b)
$secretvalue = ConvertTo-SecureString $enc -AsPlainText -Force

$secret = Set-AzureKeyVaultSecret -VaultName 'ectotecStorageKeyVault' -Name 'ectotecSecret' -SecretValue $secretvalue -ContentType "application/octet-stream"

The problem is that im getting an invalid secret provided error with the following code:

namespace cifradoApp

{

class Program

    {

    private async static Task<string> GetToken(string authority, string resource, string scope)
    {
        var authContext = new AuthenticationContext(authority);
        ClientCredential clientCred = new ClientCredential(
            ConfigurationManager.AppSettings["clientId"],
            ConfigurationManager.AppSettings["clientSecret"]);
        AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);

        if (result == null)
            throw new InvalidOperationException("Failed to obtain the JWT token");

        return result.AccessToken;
    }

    static void Main(string[] args)
    {





        // This is standard code to interact with Blob storage.
        StorageCredentials creds = new StorageCredentials(
           ConfigurationManager.AppSettings["accountName"],
           ConfigurationManager.AppSettings["accountKey"]
        );

        CloudStorageAccount account = new CloudStorageAccount(creds, useHttps: true);
        CloudBlobClient client = account.CreateCloudBlobClient();
        CloudBlobContainer contain = client.GetContainerReference(ConfigurationManager.AppSettings["container"]);
        contain.CreateIfNotExists();

        // The Resolver object is used to interact with Key Vault for Azure Storage.
        // This is where the GetToken method from above is used.
        KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(GetToken);


        // Retrieve the key that you created previously.
        // The IKey that is returned here is an RsaKey.
        // Remember that we used the names contosokeyvault and testrsakey1.
        var rsa = cloudResolver.ResolveKeyAsync("https://ectotecstoragekeyvault.vault.azure.net/secrets/ectotecSecret/dee97a40c78a4638bbb3fa0d3e13f75e", CancellationToken.None).GetAwaiter().GetResult();

        // Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy.
        BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null);
        BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy };

        // Reference a block blob.
        CloudBlockBlob blob = contain.GetBlockBlobReference("BlobPruebaEncrypted.txt");

        // Upload using the UploadFromStream method.
        using (var stream = System.IO.File.OpenRead(@"C:\Users\moise\Desktop\ectotec stuff\Visual Studio\azureStorageSample\container\BlobPrueba.txt"))
        blob.UploadFromStream(stream, stream.Length, null, options, null);



    }







}
}

My app settings seems to be working fine, since i valide before with only my account and key to access the storage account, since I made tests without trying to do client side encryption, everything worked out just fine. The problem comes with the secret it seems.

ERROR WHEN I TRY TO UPLOAD SOMETHING TO MY STORAGE ACCOUNT CONTAINER(BLOB)

AdalException: {"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.\r\nTrace ID: 52047a12-b950-4d8a-9206-120e383feb00\r\nCorrelation ID: e2ad8afe-4272-49aa-94c0-5dad435ffc45\r\nTimestamp: 2019-01-02 17:10:32Z","error_codes":[70002,50012],"timestamp":"2019-01-02 17:10:32Z","trace_id":"52047a12-b950-4d8a-9206-120e383feb00","correlation_id":"e2ad8afe-4272-49aa-94c0-5dad435ffc45"}: Unknown error

<appSettings>
  <add key="accountName" value="sampleExample"/>
  <add key="accountKey" value="KeyForMyApp"/>
  <add key="clientId" value="app-id"/>
  <add key="clientSecret" value="qwertyuiopasdfgh"/>
  <add key="container" value="ectotec-sample2"/>
</appSettings>

I'm trying to replicate the example in this tutorial:

https://learn.microsoft.com/en-us/azure/storage/blobs/storage-encrypt-decrypt-blobs-key-vault

Answer 1

You need to make sure that you have granted your appliation rights to read keys. This is seperate from the RBAC permissions on the Key Vault.

To do this, browse to teh Key Vault in the portal, on the menu on the left you will see a settings section, and under here an item called "access policies", click on this.

You then want to click the "Add New" button. In the window that opens, click on the "Select Principal" section, and then enter in the name or application ID of the application you want to have access. Select the appropriate permissions for keys, secrets or certificates and then click OK.

This will take you back to the list of authorised users, be sure to click save at the top left (it isn't obvious you need to do this), your app should then have access.