Access Azure AppConfiguration with System managed Identity using DefaultAzureCredential

Question

I have a functionApp (V3) that is trying to access App Configuration using the DefaultAzureCredential. My System managed user is switched on and has the "App Configuration Data Reader" role. I am running this locally in debug hence the need for a default credential. I also have multiple Tenants so I had to set the VisualStudioTenantId and SharedTokenCacheTenantId on DefaultAzureCredentialOptions.

The credential works when accessing Key vault to fetch a secret but it needs SharedTokenCacheTenantId to be set.

When connecting to App configuration I get a "Service request failed. Status: 403 (Forbidden).

See code below:

public override async void ConfigureAppConfiguration(IFunctionsConfigurationBuilder builder)
{
    var credOptions = new DefaultAzureCredentialOptions();

    var tenantId = Environment.GetEnvironmentVariable("Tenant_Id");

    credOptions.VisualStudioTenantId = tenantId;
    
    credOptions.SharedTokenCacheTenantId = tenantId;

    var cred = new DefaultAzureCredential(credOptions);

    /*Works but requires SharedTokenCacheTenantId*/
    var secretClient = new SecretClient(new Uri(vaultURI), cred);
    var secret = await secretClient.GetSecretAsync("<secret name>");

    /*Does not work - forbidden*/
    builder.ConfigurationBuilder.AddAzureAppConfiguration(options =>
    {
        options.Connect(new Uri(appConfigURI), cred);
        
    }).Build();

}

Thank you!

Answer 1

Credit to zhenlan here for answering my question. My local Visual studio user needed to be granted the "App Configuration Data Reader" as well to debug my code locally.