CODEWITHSUNDEEP
azure-keyvault
fifi
fifi

Reputation: 21

Programatically SetSecrets to Key Vault in C# using DefaultAzureCredential()

Can someone please help me with the following error:

Azure.RequestFailedException
  HResult=0x80131500
  Message=Service request failed.
Status: 401 (Unauthorized)    
Content:
{"error":{"code":"Unauthorized","message":"AKV10032: Invalid issuer. Expected one of https://sts.windows.net/db8e2ba9-95c1-4fbb-b558-6bf8bb1d2981/, https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/, https://sts.windows.net/e2d54eb5-3869-4f70-8578-dee5fc7331f4/, found https://sts.windows.net/6e51e1ad-c54b-4b39-b598-0ffe9ae68fef/."}}

This is my code:

protected string CreateVendorApiServerSecret(string name, string secret)
        {         
            var client = new SecretClient(new Uri(KeyvaultUri), new DefaultAzureCredential());
            var secret = new KeyVaultSecret(name, secret);
            client.SetSecret(secret, default); //I get the error here
            KeyVaultSecret getSecret = client.GetSecret(name);
            string identifier = getSecret.Id.ToString();
            return identifier;
        }

If I give TenantId in the config files. It gives the following error:

Message=DefaultAzureCredential failed to retrieve a token from the included credentials.
EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
SharedTokenCacheCredential authentication unavailable.

Upvotes: 1

Views: 2897

Answers (4)

deathrace
deathrace

Reputation: 1073

If you are using Visual Studio then set tenant id in DefaultAzureCredentialOptions. you can also use InteractiveBrowserTenantId

e.g.

            var azureCredentialOptions = new DefaultAzureCredentialOptions();
#if DEBUG
            azureCredentialOptions.SharedTokenCacheUsername = "[email protected]";
            //azureCredentialOptions.InteractiveBrowserTenantId = tenantId;
            azureCredentialOptions.VisualStudioTenantId = tenantId;
#endif

            DefaultAzureCredential credential = new DefaultAzureCredential(azureCredentialOptions);
            var client = new SecretClient(new Uri(kvUri), credential);

Upvotes: 2

Michael Howard
Michael Howard

Reputation: 761

Ok. I ran into the same issue and this solved my problem. Hope this helps. mine actually dealt with Microsoft Account authentication.

  1. I have two Microsoft accounts and only one is authorized to access resources in my Azure portal.
  2. In visual studio go to file and accounts.
  3. Log out of all accounts.
  4. Log back into the account that has access to the azure resource.
  5. Re-Run code and if authentication was your issue, you are golden. If not don't vote me down for sharing an alternative unless your a dick.

Upvotes: 1

AaronK
AaronK

Reputation: 438

Adding the following code at initial startup worked for us:

const string tenantId = "put-tenant-id-here";
Environment.SetEnvironmentVariable( "AZURE_TENANT_ID", tenantId );

Upvotes: 3

Allen Wu
Allen Wu

Reputation: 16458

Please learn details about DefaultAzureCredential.

Environment - The DefaultAzureCredential will read account information specified via environment variables and use it to authenticate.

Managed Identity - If the application is deployed to an Azure host with Managed Identity enabled, the DefaultAzureCredential will authenticate with that account.

Visual Studio - If the developer has authenticated via Visual Studio, the DefaultAzureCredential will authenticate with that account.

Visual Studio Code - If the developer has authenticated via the Visual Studio Code Azure Account plugin, the DefaultAzureCredential will authenticate with that account.

Azure CLI - If the developer has authenticated an account via the Azure CLI az login command, the DefaultAzureCredential will authenticate with that account.

Interactive - If enabled the DefaultAzureCredential will interactively authenticate the developer via the current system's default browser.

I'm not sure you are using which mechanism to authenticate.

The easiest way is sign in Visual Studio with your Azure account. Then the DefaultAzureCredential will authenticate with that account.

No matter which mechanism you are using, make sure that the account has access to the key vault which you are trying to set secret into.

In your case, the reason should be you are using an account which may be probably from another tenant. Please check.

There is an official sample here.

Use Visual Studio to open the project and then sign in VS with your Azure account. Make sure this account has access to your Azure Key Vault.

Replace string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME"); with string keyVaultName = "{your own key vault name}"; {your own key vault name} should be an existing key vault which you have created.

Upvotes: 2

Related Questions