4

I'm trying to connect my .Net Core 3.1 app up to an Azure Key Vault. I've followed the quickstart tutorial, and am getting the following error:

Microsoft.Extensions.Configuration.AzureAppConfiguration.KeyVaultReferenceException: 'DefaultAzureCredential authentication failed.. ErrorCode:, Key:Authentication:Twitter:ConsumerAPIKey

The inner exception is:

MsalServiceException: AADSTS70002: The client does not exist or is not enabled for consumers

The CreateHostBuilder method looks like this:

public static IHostBuilder CreateHostBuilder(string[] args) =>
        Host.CreateDefaultBuilder(args)
            .ConfigureWebHostDefaults(webBuilder =>
            {
                webBuilder
                    .ConfigureAppConfiguration((hostingContext, config) =>
                    {
                        var settings = config.Build();

                        config.AddAzureAppConfiguration(options =>
                        {
                            options.Connect(settings["ConnectionStrings:AppConfig"])
                                .ConfigureKeyVault(kv =>
                                {
                                    kv.SetCredential(new DefaultAzureCredential());
                                });
                        });
                    })
                    .UseStartup<Startup>();
            });

I've found very little reference to this online, except one post relating to using multiple credentials (which I am not).

Can anyone give me a way forward on this: some clue as to what might be causing it?

EDIT

The following seems to work:

var defaultAzureCredentialsOptions = new DefaultAzureCredentialOptions()
{                                
    SharedTokenCacheTenantId = <tenant id>,
    SharedTokenCacheUsername = <my azure username>,
    ExcludeInteractiveBrowserCredential = false,
    ExcludeEnvironmentCredential = false,
    InteractiveBrowserTenantId = <tenant id>
};

config.AddAzureAppConfiguration(options =>
{                                
    options.Connect(settings["ConnectionStrings:AppConfig"])
        .ConfigureKeyVault(kv =>
        {
            kv.SetCredential(new DefaultAzureCredential(defaultAzureCredentialsOptions));
        });
});

Whilst this does work (as far as it goes), I now have the Tenant ID and my username hard-coded; along with a pop-up when I launch the site asking me to log-in.

Improve this question
8
  • It could be picking up an account you have authenticated to in Visual Studio to access the Key Vault, but the account is a personal Microsoft account that does not exist in the Azure AD. You can try specifying your Azure AD tenant id as the SharedTokenCacheTenantId (IIRC), as well as other tenant ids in the options object. Commented May 25, 2020 at 8:04
  • @juunas - you might be onto something. If I specify SharedTokenCacheTenantId and SharedTokenCacheUsername I get a forbidden error from Key Vault. Although I've given my username every permission available in the Access Policies blade, and I still get a forbidden message Commented May 25, 2020 at 13:13
  • Okay that is odd :\ Commented May 25, 2020 at 13:15
  • @juunas following your suggestion, I have sort of got it working (see edit). My guess is that I'm missing some config or setting (clearly I shouldn't have to hard code my tenant id and username into the system) Commented May 25, 2020 at 13:31
  • Oh the pop-up is pretty weird. Are the interactive credentials disabled in the options for DefaultAzureCredential? Commented May 25, 2020 at 14:22

1 Answer 1

Reset to default
6
+100

The DefaultAzureCredential goes through a number of credentials, such as Managed Identity which is recommended for Azure services as being more secure (no shared access tokens).

You can, however, use environment variables set for your application or even during local development, namely:

  • AZURE_TENANT_ID : tenant ID
  • AZURE_CLIENT_ID : the service principal ID, which must have been granted necessary permissions like list and get for how you're using them in your example
  • AZURE_CLIENT_SECRET : the service principal secret (password), which was shown to you only after it was created

If you use the new preview version of Azure.Identity, it also supports Azure CLI, Visual Studio, and other credentials for development environments. For exampe, if you use the Azure CLI, once you az login, DefaultAzureCredential will just work.

Improve this answer
Sign up to request clarification or add additional context in comments.

10 Comments

Adding the service principal does work locally. I tried installing the preview of Azure.Identity - it made no difference. So, I have a related question around deployment. The deployed version doesn't work - I assume because the environment variables AZURE_CLIENT_ID, etc.. are not set; but surely these need to be encrypted (i.e. in KeyVault)?
They need to be secured in your application configuration, but cannot be encrypted by Key Vault because they are needed to access Key Vault. If your platform already supports encrypting secrets at rest (e.g. Azure Pipelines or GitHub Actions), those environment variable values would be best kept as secrets; however, why not just use those platforms' secrets then? But for your hosted application, typically adding those required environment variables is common - the hope that very few - and trusted - people can access/change your application's settings.
That’s sort of what I was getting at. At some stage, you need to store the keys to the castle outside of KeyVault, I’m starting to wonder what the advantage of using it at all is. It seems like wherever you store the key, you might as well store the rest of the values :-)
(Sorry, this has clearly drifted away from the question). If you’re storing details that allow you to access the KeyVault, then KeyVault is only as secure as its keys. So why not just store everything wherever you would store the KeyVault secret: it’s, by definition, no less secure.
I just want to emphasize @PaulMichaels's point. If you're using KeyVault to store config secrets, and you store your KeyVault credentials in your config, there's no point in using KeyVault. If your config becomes compromised, then your Keyvault is as well, so it defeats the purpose.
|

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.