1

I'm setting up a KeyVault to remove secrets from my .NET Azure WebApp and pass CredScan and everything is hooked up correctly as far as I can tell.

The KeyVault exists in the same resource group as the app and has the required secrets. The App Service has explicit read-permissions set in the KeyVault's Access Policies. And all the correct parameters are used to create the API client in the code, following the documentation.

However when I use the standard API call to actually access a secret using the client, i.e.

SecretClient client = new SecretClient(keyVaultURI, new DefaultAzureCredential());
string secret = client.GetSecret(secretName).Value.Value;

I get the following error:

DefaultAzureCredential failed to retrieve a token from the included credentials.\r\nEnvironmentCredential authentication unavailable. Environment variables are not fully configured.\r\nManagedIdentityCredential authentication unavailable, no managed identity endpoint found.\r\nSharedTokenCacheCredential authentication unavailable. Token acquisition failed for user . Ensure that you have authenticated with a developer tool that supports Azure single sign on.

I'm guessing there must be some required config step or setting that I am unaware of.

Improve this question
2
  • Have you configured MSI for your Azure web app : learn.microsoft.com/en-us/azure/app-service/… Commented May 6, 2020 at 1:44
  • @JimXu yes, but this was the root of the problem. The Access Policy I had setup in the KeyVault in Azure Portal was not for the correct AAD Identity. Following the standard MI setup steps for the correct App Service was sufficient to get it working. Commented May 7, 2020 at 2:08

1 Answer 1

Reset to default
7

I summary the whole solution as below.

If you want to DefaultAzureCredential to access Azure key vault in Azure app service, you need to enable MSI and configure the right access policy for you MSI in Azure key vault. For more details, please refer to the document

The detailed steps are as below.

a. Enable system-assigned MSI

  • Scroll down to the Settings group in the left navigation.
  • Select Identity.
  • Within the System assigned tab, switch Status to On. Click Save. enter image description here

b. Configure access policy

  • Search for your Key Vault in “Search Resources dialog box” in Azure Portal.
  • Select "Overview", and click on Access policies
  • Click on "Add New", select "Secret Management" from the dropdown for "Configure from template"
  • Click on "Select Principal", and in the search field enter the Object ID of you web app MSI you created earlier. Select the web app in the result list and click "Select".
  • Click on "OK" to add the new Access Policy, then click "Save" to save the Access Policies
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.