Reputation: 1694
403 when connecting to Azure App Configuration using a Managed Identity
I am trying to connect from a net framework app to Azure App Configuration using a Managed Identity but have permission issues.
How I connect
options.Connect(new Uri("https://myconfigstore.azconfig.io"), new ManagedIdentityCredential(clientId));
I have tried all the various clientId, objectids and applicationId guids I can find using the portal but are always getting a bad request no matter when guid I call it with
Azure.Identity.CredentialUnavailableException: 'ManagedIdentityCredential authentication unavailable,
the requested identity has not been assigned to this resource.
Status: 400 (Bad Request)
If I create ManagedIdentityCredential without specifying an clientId I get this error
Azure.RequestFailedException: 'Service request failed.
Status: 403 (Forbidden)
I have granted my manage identity Azure App Configuration Data permission
Is this the clientId I should be using?
Update:
I have just tried to use the Id of my active directory (AAD --> Properties) and i get a
Azure.RequestFailedException: 'Service request failed.
Status: 403 (Forbidden)
That can only mean that I am using the wrong id because otherwise it should have returned 400 (Bad Request) like in the other error I see.
Full code
private static async Task Main()
{
var builder = new ConfigurationBuilder();
const string clientId = "e589d9f1-xxxx-xxxx-xxxx-6bc940d50ab7";
builder.AddAzureAppConfiguration(options =>
{
options.Connect(new Uri("https://myconfigstore.azconfig.io"), new ManagedIdentityCredential(clientId));
});
_configuration = builder.Build();
Console.WriteLine("Number of keys: " + _configuration.GetChildren().Count());
Console.WriteLine("Demo: " + _configuration["Demo"]);
}
Upvotes: 18
Views: 25687
Answers (1)
Reputation: 1543
This document demonstrates how to use managed identity to access App Configuration from App Service, but you can replace the App Service with any other Azure services that support managed identity. https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity
Here are a few things I'd like to call out
- Make sure the managed identity is enabled in the Azure service where your application runs.
- When you are using system assigned managed identity, you don't need to provide the client Id. You only need to provide the client Id when you use user assigned managed identity.
- Make sure the managed identity is granted either App Configuration Data Reader or App Configuration Data Owner role in the access control of your App Configuration instance.
- Wait for at least 15 minutes after the role assignment for the permission to propagate.
- Managed identity can ONLY work when your code is running in the Azure service. It will NOT work when running locally.
Upvotes: 21
Related Questions
- Why do I see 403 forbidden in Azure application gateway?
- What is wrong with my Azure App Configuration endpoint?
- Azure App Configuration Managed Identity failing when called from Azure Function
- AzureAppConfiguration does not work with Azure.Identity.TokenCredentials
- Strange behavior when trying to connect to Azure App Configuration with .Net Framework
- Access Azure AppConfiguration with System managed Identity using DefaultAzureCredential
- Local development access to Azure App Configuration with a managed identity
- Azure App Configuration - How to set a secret
- Why Can't I Connect to Azure App Configuration When Running on App Service, getting The request was aborted: Could not create SSL/TLS secure channel
- Azure web app showing 403