Reputation: 501
Azure.RequestFailedException in Azure.Security.KeyVault.Secrets
I have developed a service running in an Azure Virtual Machine Scale Set that accesses configuration from the Azure Key Vault. Recently, when debugging this service, I have started to receive a RequestFailedException when accessing the configuration.
In Azure, the Key Vault is accessed through a User-Assigned Managed Identity that has the appropriate permissions. The service is currently working fine in Azure, but I am unable to debug locally. I have selected my Azure account in the Azure Service Authentication configuration section of Visual Studio 2019 version 16.8.6, and this account has permissions to the Key Vault (which is configured to allow access from all networks).
Here is a snippet showing how I access the key vault using Azure Identity 1.2.2 and Azure.Security.KeyVault.Secrets 4.1.0 on the .NET Core 3.1 platform:
private const string KeyVault = "https://<key vault name>.vault.azure.net/";
var client = new SecretClient(new Uri(KeyVault), new DefaultAzureCredential());
var secret = client.GetSecret("<name of secret in key vault>");
Apparently the DefaultAzureCredential uses the VisualStudioCredential to resolve access, but this has somehow been broken by an update to Visual Studio (the only thing changed since my last successful debug session) or possibly a change in policy from Azure Key Vault.
Full exception
Exception thrown: 'Azure.RequestFailedException' in Azure.Security.KeyVault.Secrets.dll
An unhandled exception of type 'Azure.RequestFailedException' occurred in Azure.Security.KeyVault.Secrets.dll
Service request failed.
Status: 403 (Forbidden)
Content:
{"error":{"code":"Forbidden","message":"Access denied to first party service.\r\nCaller: name=from-infra;tid=<redacted>;appid=<redacted>;iss=https://sts.windows.net/<appid>/\r\nVault: <key vault name>;location=australiaeast","innererror":{"code":"AccessDenied"}}}
Upgrading the library
I upgraded the Azure.Identity library to version 1.3.0. This produced a more detailed exception:
Microsoft.Extensions.Configuration.AzureAppConfiguration.KeyVaultReferenceException: SharedTokenCacheCredential authentication failed: AADSTS9002332: Application 'cfa8b339-82a2-471a-a3c9-0fc0be7a4093'(Azure Key Vault) is configured for use by Azure Active Directory users only.
The full exception is described in this question. It seems the DefaultAzureCredential is attempting to use a SharedTokenCacheCredential. I updated my code to explicitly disable shared token cache credentials:
private const string KeyVault = "https://<key vault name>.vault.azure.net/";
var options = new DefaultAzureCredentialOptions { ExcludeSharedTokenCacheCredential = true };
var client = new SecretClient(new Uri(KeyVault), new DefaultAzureCredential(options));
However this produces the original exception as described above. The accepted answer to the linked question encodes the tenant id, client id, and user secret into the application which I am reluctant to do. Example documentation uses the alternate libraries Microsoft.Azure.Services.AppAuthentication and Microsoft.Azure.KeyVault.
My service is running fine in Azure. I would like to debug it locally, as I was a couple of months ago. Is there anything I can do?
Upvotes: 4
Views: 16574
Answers (3)
Reputation: 103
This is a bit late to the party, but I overcame this issue by explicitly setting my tenant ids via DefaultAzureCredentialOptions. It seems that if you are using a tenant that you set up using a personal account via an 'onmicrosoft.com' domain, then Visual Studio/Code gets a bit confused.
Just add code that looks like this:
var options = new DefaultAzureCredentialOptions();
options.VisualStudioCodeTenantId = "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"; // substitute your Azure AD tenant ID
options.VisualStudioTenantId = "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx";
options.SharedTokenCacheTenantId = "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx";
var credential = new DefaultAzureCredential(options);
var client = new SecretClient(new Uri(<kvUri>), credential); // substitute your KV Uri
await client.SetSecretAsync(<secretName>, <secretValue>);
Cheers,
Tim.
Upvotes: 0
Reputation: 501
To work around this issue without hard-coding secrets, disable the Visual Studio authentication credential and use an alternate authentication method.
In my case, I used the AzureCliCredential. First I logged into Azure in my development environment with the account that has access to the Key Vault (the same account selected in Visual Studio's 'Azure Service Authentication' configuration):
az login
Then I updated the code to either use the DefaultAzureCredential with the VisualStudioCredential disabled, or used a ChainedTokenCredential selecting the appropriate methods:
var options = new DefaultAzureCredentialOptions { ExcludeVisualStudioCredential = true };
var client = new SecretClient(new Uri(KeyVault), new DefaultAzureCredential(options));
Or:
var credentials = new ChainedTokenCredential(new ManagedIdentityCredential(...), new AzureCliCredential());
var client = new SecretClient(new Uri(KeyVault), credentials);
I believe this is a bug with Visual Studio and an issue has been logged.
Upvotes: 7
Reputation: 12153
If you want to debug your app locally and you need to access Azure Key vault, but DefaultAzureCredential() function does not work for you locally for some reason, you can try to use ClientSecretCredential as a workaround to access your Azure Key Vault from local.
For this, you need to register a new Azure AD App with a secret:
And add access policy for this app in your key vault:
With this step is done, this app has been granted permission to access key vault.
Try the simple console app to access your key vault by ClientSecretCredential:
using System;
using System.Threading.Tasks;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
namespace key_vault_console_app
{
class Program
{
static async Task Main(string[] args)
{
const string secretName = "<secret name>";
var keyVaultName = "<kv name>";
var kvUri = $"https://{keyVaultName}.vault.azure.net";
var tenantID = "<your tenant id>";
var appID = "<new registered azure ad app>";
var appSec = "<app secret>";
var userCred = new ClientSecretCredential(tenantID, appID, appSec);
var client = new SecretClient(new Uri(kvUri), userCred);
Console.Write(client.GetSecret(secretName).Value.Value);
}
}
}
Result:
Upvotes: 0
Related Questions
- Azure KeyVault: Azure.Identity.CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token from the included credentials
- Issue in accessing Azure Keyvault - DefaultAzureCredential failed to retrieve a token
- Exception while connecting to KeyVault from Azure VM
- Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: 'Operation returned an invalid status code 'BadRequest''
- Sudden System.Net.Http.HttpRequestException with Azure KeyVault
- KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
- Azure Keyvault error: Tried the following 3 methods to get an access token, but none of them worked
- Azure C# KeyVaultErrorException: Operation returned an invalid status code 'Forbidden'
- Azure KeyVault Secret Get Throws Authentication Error
- Microsoft.Azure.KeyVault.KeyVaultClientException :Service Error information was not available