Reputation: 2425
Azure Function app fails to retrieve secrets from Azure Key Vault in Visual Studio
I have a Visual Studio 2022 solution that includes multiple project types, one of which is a .NET Core website and the other is an Azure Function app.
I'm using Azure Key Vault to store secrets, and I'm using the DefaultAzureCredential to retrieve secrets in the website project without any issues.
var keyVaultUrl = Environment.GetEnvironmentVariable("AzureKeyVaultUrl");
var client = new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential());
var storageAccountName = client.GetSecretAsync("StorageAccountName").GetAwaiter().GetResult().Value;
However, when I run the Azure Function app locally and try to retrieve secrets from Azure Key Vault in the same way, I get the following error message:
Azure.Identity.AuthenticationFailedException: SharedTokenCacheCredential authentication failed: AADSTS9002332: Application 'cfa8b339-82a2-471a-ju0L-0fc0be7a4093' (Azure Key Vault) is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request.
I suspect that the error is related to the identity of the process running the Azure Function app in Visual Studio.
I've checked that I'm running Visual Studio as an admin, but the error still persists.
I have also checked Tools > Options > Azure Service Authentication is set correctly and signed in.
How can I check the identity of the process running the Azure Function app in Visual Studio?
Any suggestions on how to fix this issue would be greatly appreciated.
Upvotes: 0
Views: 821
Answers (1)
Reputation: 3649
I tried the code below in my environment for getting my secrets from keyvault :_
Code:-
using System;
using System.Net;
using Microsoft.AspNetCore.Http;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Routing;
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
using Microsoft.Azure.WebJobs.Extensions.Http;
using Microsoft.Azure.WebJobs;
using Microsoft.Extensions.Logging;
namespace keyvaultfunction
{
public static class Function1
{
[FunctionName("Function1")]
public static async Task<IActionResult> Run(
[HttpTrigger(AuthorizationLevel.Function, "get", Route = null)]
HttpRequest req, ILogger log)
{
string secretName = "<serete_name>";
string keyVaultName = "<keyvault_name>";
try
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(
azureServiceTokenProvider.KeyVaultTokenCallback));
// Get the secret value from Key Vault
var secret = await keyVaultClient.GetSecretAsync(
$"https://{keyVaultName}.vault.azure.net/secrets/{secretName}")
.ConfigureAwait(false);
return new OkObjectResult(secret.Value);
}
catch (Exception ex)
{
log.LogError(ex.Message);
return new StatusCodeResult((int)HttpStatusCode.InternalServerError);
}
}
}
}
Output:-
Received the HTTP URL of my function:
With the above URL , I got my secret value in the browser like below:-
Which is the same secret value in azure portal:-
In order to resolve your error check the solution in the Github issue link below and try the above code:-
Upvotes: 0
Related Questions
- Angular - Azure Key Vault Managing Vault Access secrets
- Python script to read secrets from Azure Key Vault
- How can I retrieve secret from Azure Key Vault from my Controller code
- Access Key Vault from local Service Fabric cluster with User Assigned Manged Identity(MSI)
- DefaultAzureCredential doesn't work with User Assigned Managed Identity in Azure App Service while thats not the case with Azure VMSS
- Need Clarification : Azure Function app integration with Azure Key Vault
- Read Azure Key Vault Secret from Function App
- UWP/WinUI desktop app access to Azure Key Vault secrets
- Python Azure Function - MSI Authentication with Key Vault
- Key Vault Settings in Azure App Settings with no code