1

I am still getting up to speed with Azure Key Vault.

Here is the setup: I have a Windows Service on-premise that needs access to a password. For security reasons, the password will be stored in AKV.

The Azure Portal was then used to create the AKV resource, and a "Secret" which will store the password (TheSecret).

Permissions were then added so that my AD login would have access to TheSecret.

So as far as I know, the Azure side of this is set up correctly.

Now I try to access TheSecret from a Console app.

This is the code based on the sample code in the docs:

var keyVaultUrl = @"https://css-key-vault.vault.azure.net/secrets/TheSecret/<TheGuid>";

var client = new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential();

KeyVaultSecret theSecret = client.GetSecret("TheSecret");
Console.WriteLine($"Secret is returned with name {theSecret.Name} and value {theSecret.Value}");

When I run this, I just get a 404 error.

If I take the URL and put it in a brower, it return this message:

{"error":{"code":"Unauthorized","message":"AKV10000: Request is missing a Bearer or PoP token."}}

How do I get this to work?

I am expecting that when the Windows Service is running, the Service will use the Windows Account which it is running and somehow pass this credential information to Azure in order to Authenticate and Authorize getting the secret. But it is not clear to me what needs to be done to pass this information to Azure. If there is some other way to do this, I am open to that as well.

Improve this question

1 Answer 1

Reset to default
1

The problem is related to this line:

var client = new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential();

when using DefaultAzureCredential, it assumes there's a managed identity associated which will be used to retrieve the access token in order to authenticate/authorize the request.

For console apps, you need to retrieve a token from Azure AD, and use it:

https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-v2-netcore-daemon

PS: you'll need to create an application / secret in your AD for this.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Great, thank you. I will try this.
DefaultAzureCredential does not only attempt Managed Identity though, it attempts various authentication methods. For example, it also checks if it can get a token using Azure PowerShell. But agreed, using a client secret/certificate is probably the better choice here. Though since the password was put to Key Vault for security, you will then be giving a secret that has access to the Key Vault anyway, so I'm not sure how this is better to just having the secret in the app itself. Other than being able to switch it centrally.
you're correct about it. I usually follow the approach I've added (link) for console apps

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.