Access Azure Key Vault with Managed Identity on Azure Batch running .NET Console Application

Question

Is it possible to access Azure Key Vault Secrets with Azure Managed Identity setup on the Azure Batch? I've read through Microsoft docs and the only option I technically see is using certificate based authentication to access key vault within the .net console application. Since Managed Identities can be used in Azure Batch, I figured DefaultAzureCredential could be taken advantage of. I've had no luck in getting it to work.

Has anyone been able to get it to work like this, or am I going to have to settle for using certificate based authentication? Microsoft if you see this... Is there something in the works to get something like this working with Managed Identities

Technologies in play:

• Azure Managed Identity: User-Assigned (id: xxxx)
• Azure Key Vault
  • Added Managed Identity (id: xxx) to access policy with secrets access: get, list
• Azure Batch
  • Batch Pool
    • Managed Identity (id: xxxx) Installed
    • Application: .Net Console Application (where code below resides)
• .Net Console Application
  • .Net6

Here is what I am attempting to do:

DefaultAzureCredential credential = new DefaultAzureCredential( 
    new DefaultAzureCredentialOptions()
      {
         ManagedIdentityClientId = "xxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxx"
      });
            
Uri uri = new("https://xxxxxxx.vault.azure.net/"); //Also Tried "https://xxxxxxx.vault.azure.net/secrets/"
            
SecretClient client = new(uri, credential);
var secret = await client.GetSecretAsync(secretName);
return secret?.Value.Value;

Error I receive from Batch Job's Task (filtered to show the ManagedIdentityCredential error)

Unhandled exception. Azure.Identity.CredentialUnavailableException: ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
Status: 400 (Bad Request)

Content:
{"error":"invalid_request","error_description":"Identity not found"}

Headers:
Server: IMDS/150.870.65.684
Date: Wed, 27 Jul 2022 17:47:07 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 68

   at Azure.Identity.ImdsManagedIdentitySource.HandleResponseAsync(Boolean async, TokenRequestContext context, Response response, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ImdsManagedIdentitySource.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityClient.AuthenticateAsync(Boolean async, TokenRequestContext context, CancellationToken cancellationToken)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex, String additionalMessage)
   at Azure.Identity.ManagedIdentityCredential.GetTokenImplAsync(Boolean async, TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask`1 task)
   at Azure.Identity.ManagedIdentityCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken)
   at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthenticateRequestAsync(HttpMessage message, Boolean async)
   at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.ProcessCoreAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.RedirectPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted(ValueTask task)
   at Azure.Core.Pipeline.RedirectPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory`1 pipeline, Boolean async)
   at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted(ValueTask task)
   at Azure.Core.Pipeline.RetryPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipelinePolicy.ProcessNext(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.Process(HttpMessage message, ReadOnlyMemory`1 pipeline)
   at Azure.Core.Pipeline.HttpPipeline.Send(HttpMessage message, CancellationToken cancellationToken)
   at Azure.Core.Pipeline.HttpPipeline.SendRequest(Request request, CancellationToken cancellationToken)
   at Azure.Security.KeyVault.KeyVaultPipeline.SendRequest(Request request, CancellationToken cancellationToken)
   at Azure.Security.KeyVault.KeyVaultPipeline.SendRequest[TResult](RequestMethod method, Func`1 resultFactory, CancellationToken cancellationToken, String[] path)
   at Azure.Security.KeyVault.Secrets.SecretClient.GetSecret(String name, String version, CancellationToken cancellationToken)
   at wileyulab.infrastructure.SimpleService.Execute(String[] args) in C:\AzDo\WileyU\wiley-u-lab\wileyulab.infrastructure\SimpleService.cs:line 55
   at wileyulab.consoleapp.simple.Program.Main(String[] args) in C:\AzDo\WileyU\wiley-u-lab\wileyulab.consoleapp.simple\Program.cs:line 70

Answer 1

The error below may occur due to one of the following actions not properly configured.

Unhandled exception. Azure.Identity.CredentialUnavailableException: ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.

• Please make sure to ENABLE managed identity in the Azure service before using .

• As you have you user-asigned managed identity with the DefaultAzureCredential ,you need to provide the client Id and make sure specify the clientId in code by setting environment variables.

  AZURE_CLIENT_ID - service principal's app id
  AZURE_TENANT_ID - principal's Azure Active Directory tenantId
  AZURE_CLIENT_SECRET - service principal's client secrets
  

• Make sure the managed identity is granted proper role like contributor or reader to access the batch and keyvault.

• In the Azure portal, after the Key Vault is created,please add the Batch account access using managed identity in the Access Policy under Setting which is Under Key Permissions. select Get,list,create, Wrap Key and Unwrap Key etc which are needed

  

Note:

And please Wait for at least 15 minutes for role to propagate and then try to access.

Please make sure you are logged in into Visual Studio within azure with proper roles/rights as Managed identity can work only when it is running in the Azure service. It will NOT work when run locally.

References:

1. Configure customer-managed keys for your Azure Batch account with Azure Key Vault and Managed Identity - Azure Batch | Microsoft Docs
2. TROUBLESHOOTING· GitHub