Reputation: 1
Authentication to Azure Key Vault
I think I'm having difficulty understanding authentication for public client applications, specifically in relation to the Azure key vault.
I've been able to write some C# which builds a public client application, registered with Azure, and I can authenticate using a broker and my Windows domain login to get an oauth token without having to provide any password. I've successfully used that oauth token to call the RESTful API for the key vault, and have retrieved some secrets. I've used RBAC to grant the necessary permissions.
However, I know I'm supposed to use SecretClient to accomplish this. SecretClient requires a credential, but what I have is an oauth token. How can I create a credential that uses my oauth token?
I've been playing with the DefaultAzureCredential object, but I've only been able to get this working with environment variables (using a confidential client, which isn't what I want), or with my Visual Studio credentials. This then doesn't work on the test PC.
Any assistance would be greatly appreciated!
Below is an example of the code I thought would work on a domain joined PC where the user is logged in with their Entra ID.
string tenantId = "<my tenant>";
DefaultAzureCredentialOptions options = new DefaultAzureCredentialOptions();
options.TenantId = tenantId;
options.ExcludeEnvironmentCredential = true;
DefaultAzureCredential credential = new DefaultAzureCredential(options);
SecretClient client = new SecretClient(new Uri("https://mykeyvault.vault.azure.net/"), credential);
string secretValue = client.GetSecret("mysecret").Value.Value;
MessageBox.Show(secretValue);
Upvotes: 0
Views: 1157
Answers (2)
Reputation: 1
Answering my own question, I believe I've finally found the solution.
I created my own class inherited from TokenCredential and gave its constructor a parameter of an AccessToken which I stored in a private member variable.
I then overrode the GetToken and GetTokenAsync methods to return that AccessToken.
I'm able to use my new class as a credential for the SecretClient object, so pretty happy about that.
Upvotes: 0
Reputation: 10455
However, I know I'm supposed to use SecretClient to accomplish this. SecretClient requires a credential, but what I have is an OAuth token. How can I create a credential that uses my OAuth token?
According to this MS-Document, it is not possible to access SecretClient without credentials.
The SecretClient requires a credential to authenticate with the Azure service, with DefaultAzureCredential or ClientSecretCredential.
In ClientSecretCredential, you also need to pass clientId, clientSecret, and tenantId to fetch the secrets from KeyVault.
Code:
using Azure.Security.KeyVault.Secrets;
using Azure.Identity;
namespace sample
{
class Program
{
static async Task Main(string[] args)
{
string clientId = "xxxx";
string clientSecret = "xxxxx";
string tenantId = "xxxxx";
var clientCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
var client = new SecretClient(new Uri("https://<keyvaultname>.vault.azure.net/"), clientCredential);
string secretValue = client.GetSecret("secret").Value.Value;
Console.WriteLine(secretValue);
}
}
}
As of now, you need to use PCA (OAuth token) flow only.
Reference: Azure Key Vault secret client library for .NET - Azure for .NET Developers | Microsoft Learn
Upvotes: 0
Related Questions
- What is the purpose of the implicit grant authorization type in OAuth 2?
- Azure Function app fails to retrieve secrets from Azure Key Vault in Visual Studio
- Python script to read secrets from Azure Key Vault
- Unable to create secrets in Azure Key Vault if using Azure role-based access control
- Azure Key Vault Quickstart fails to provide key vault client
- Authenticating to Azure Key Vault locally using DefaultAzureCredential
- UWP/WinUI desktop app access to Azure Key Vault secrets
- How to use compound identity to authenticate with Azure to access Azure Key Vault
- Azure Key Vault Service Principle Authentication Failing
- Use encrypted Azure credentials when initializing new SecretClient