Reputation: 6202
Azure KeyVault: how to create clientId and clientSecret?
I want to connect my application to KeyVault. Usually, I could create a New Client Secret and use it in my code.
var _keyVaultClient = new KeyVaultClient(
async (string authority, string resource, string scope) =>
{
var authContext = new AuthenticationContext(authority);
var clientCred = new ClientCredential(clientId, clientSecret);
var result = await authContext.AcquireTokenAsync(resource, clientCred);
return result.AccessToken;
});
I could create a new client secret from the Azure Portal.
Now, I can't find this option in KeyVault.
In Program.cs I have something like
var keyVaultEndpoint = new Uri(Environment.GetEnvironmentVariable("VaultUri"));
configApp.AddAzureKeyVault(keyVaultEndpoint, new DefaultAzureCredential());
Locally is working but when I deploy the application to Azure I have this error:
Application '/LM/W3SVC/1699246683/ROOT' with physical root 'C:\home\site\wwwroot' has exited from Program.Main with exit code = '0'. First 30KB characters of captured stdout and stderr logs:
[10:15:57 FTL] Host terminated unexpectedly Azure.Identity.CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token from the included credentials.
EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
at Azure.Identity.DefaultAzureCredential.GetTokenAsync(Boolean isAsync, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthenticateRequestAsync(HttpMessage message, Boolean async) at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.ProcessCoreAsync(HttpMessage message, ReadOnlyMemory
1 pipeline, Boolean async) at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline) at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline) at Azure.Core.Pipeline.HttpPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken) at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken) at Azure.Security.KeyVault.KeyVaultPipeline.GetPageAsync[T](Uri firstPageUri, String nextLink, Func1 itemFactory, String operationName, CancellationToken cancellationToken) at Azure.Core.PageResponseEnumerator.FuncAsyncPageable1.AsPages(String continuationToken, Nullable1 pageSizeHint)+MoveNext() at Azure.Core.PageResponseEnumerator.FuncAsyncPageable1.AsPages(String continuationToken, Nullable1 pageSizeHint)+System.Threading.Tasks.Sources.IValueTaskSource<System.Boolean>.GetResult() at Azure.AsyncPageable1.GetAsyncEnumerator(CancellationToken cancellationToken)+MoveNext() at Azure.AsyncPageable1.GetAsyncEnumerator(CancellationToken cancellationToken)+MoveNext() at Azure.AsyncPageable1.GetAsyncEnumerator(CancellationToken cancellationToken)+System.Threading.Tasks.Sources.IValueTaskSource<System.Boolean>.GetResult() at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.LoadAsync() at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.LoadAsync() at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.Load() at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList1 providers) at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build() at Microsoft.Extensions.Hosting.HostBuilder.BuildAppConfiguration() at Microsoft.Extensions.Hosting.HostBuilder.Build() at Skoruba.IdentityServer4.STS.Identity.Program.Main(String[] args) in C:\Projects\IdentityServer4\src\Skoruba.IdentityServer4.STS.Identity\Program.cs:line 26Process Id: 13436. File Version: 13.1.20234.8. Description: IIS ASP.NET Core Module V2 Request Handler. Commit: c75b3f7a2fb9fe21fd96c93c070fdfa88a2fbe97
Upvotes: 2
Views: 6721
Answers (1)
Reputation: 6508
You are using DefaultAzureCredential which combines credentials commonly used to authenticate when deployed, with credentials used to authenticate in a development environment. The DefaultAzureCredential will attempt to authenticate via the following mechanisms in order.
The reason it works in your local is most probably it's able to authenticate using one from your local box (the orange ones above).
Now for deployed environment, you need to do either of the following:
- Setup Managed Service Identity and give access to Key vault. For example, in Azure App Service, enable that from Identity blade in portal and then assign access policy in the key vault (identity name will be same as the App Service name).
Or, 2. Set client credentials in Environment Variables (e.g. in App Settings in case of Web App).
Upvotes: 7
Related Questions
- Azure Key Vault and Certificate - .NET Framework ClientCertificateCredential access to Secrets
- Azure Key Vault ClientSecret Management
- Store Azure Key Vault clientSecret securely
- Asp.Net MVC 5 - how to Implement Azure.Security.KeyVault.Secrets code
- For Azure Key Vault, where should I store the tenantId, clientId and clientSecret?
- How to sign using new keyvault client from azure.security.keyvault
- Azure Key Vault - programmatic creation
- Where can I find "authenticationKey" value in azure application for creating "ClientCredential" object
- Problem with configuring Azure KeyVault in ASP.net app
- Storing Azure Vault Client ID and Client Secret