Reputation: 707
Azure KeyVault Secret Get Throws Authentication Error
I'm setting up a KeyVault to remove secrets from my .NET Azure WebApp and pass CredScan and everything is hooked up correctly as far as I can tell.
The KeyVault exists in the same resource group as the app and has the required secrets. The App Service has explicit read-permissions set in the KeyVault's Access Policies. And all the correct parameters are used to create the API client in the code, following the documentation.
However when I use the standard API call to actually access a secret using the client, i.e.
SecretClient client = new SecretClient(keyVaultURI, new DefaultAzureCredential());
string secret = client.GetSecret(secretName).Value.Value;
I get the following error:
DefaultAzureCredential failed to retrieve a token from the included credentials.\r\nEnvironmentCredential authentication unavailable. Environment variables are not fully configured.\r\nManagedIdentityCredential authentication unavailable, no managed identity endpoint found.\r\nSharedTokenCacheCredential authentication unavailable. Token acquisition failed for user . Ensure that you have authenticated with a developer tool that supports Azure single sign on.
I'm guessing there must be some required config step or setting that I am unaware of.
Upvotes: 1
Views: 6546
Answers (1)
Reputation: 23141
I summary the whole solution as below.
If you want to DefaultAzureCredential to access Azure key vault in Azure app service, you need to enable MSI and configure the right access policy for you MSI in Azure key vault. For more details, please refer to the document
The detailed steps are as below.
a. Enable system-assigned MSI
- Scroll down to the Settings group in the left navigation.
- Select Identity.
- Within the System assigned tab, switch Status to On. Click Save.
b. Configure access policy
- Search for your Key Vault in “Search Resources dialog box” in Azure Portal.
- Select "Overview", and click on Access policies
- Click on "Add New", select "Secret Management" from the dropdown for "Configure from template"
- Click on "Select Principal", and in the search field enter the Object ID of you web app MSI you created earlier. Select the web app in the result list and click "Select".
- Click on "OK" to add the new Access Policy, then click "Save" to save the Access Policies
Upvotes: 7
Related Questions
- Exception raised while accessing keyvault in Azure through C#
- retrieve secret from azure key vault
- Accessing AzureKeyVault
- Azure KeyVault Get Secret API responds with 404 or 401 error
- Azure C# KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
- Azure key vault: access denied
- C# Can't retrieve secret from Azure Key Vault
- Azure KeyVault GetSecretAsync.Result.Value error handling
- Fetching secrets from keyVault from Azure in c#
- Getting Unathorized when trying to get a secret from Azure key Vault