I'm trying to use the new AzureKeyVault ConfigurationBuilder in a .NET 4.7.1 MVC app and keep getting configuration errors when I run it locally:
Configuration Error
Description: An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.
Parser Error Message: An error occurred loading a configuration file: One or more errors occurred.
Source Error:
Line 13: </builders>
Line 14: </configBuilders>
Line 15: <appSettings configBuilders="AzureKeyVault">
Line 16: <add key="webpages:Version" value="3.0.0.0" />
Line 17: <add key="webpages:Enabled" value="false" />
After creating a new .NET Framework 4.7.1 ASP.NET MVC web project, I added a connected service to Azure Key Vault and targeted an existing vault. My web.config then looked included this section:
<configuration>
<configSections>
<section name="configBuilders" type="System.Configuration.ConfigurationBuildersSection, System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" restartOnExternalChanges="false" requirePermission="false" />
</configSections>
<configBuilders>
<builders>
<add name="AzureKeyVault" vaultName="my-test-keyvault" connectionString="" type="Microsoft.Configuration.ConfigurationBuilders.AzureKeyVaultConfigBuilder, Microsoft.Configuration.ConfigurationBuilders.Azure, Version=1.0.0.0, Culture=neutral" vaultUri="https://WebApplication1-12-kv.vault.azure.net" />
</builders>
</configBuilders>
<appSettings configBuilders="AzureKeyVault">
<add key="webpages:Version" value="3.0.0.0" />
<add key="webpages:Enabled" value="false" />
<add key="ClientValidationEnabled" value="true" />
<add key="UnobtrusiveJavaScriptEnabled" value="true" />
</appSettings>
<system.web>
<compilation debug="true" targetFramework="4.7.1" />
<httpRuntime targetFramework="4.7.1" />
I've been scouring the internet trying to find examples of what the connectionString should look like but I haven't had any success. The documentation states:
The vaultName is required. The other attributes allow you some manual control about which vault to connect to, but are only necessary if the application is not running in an environment that works magically with Microsoft.Azure.Services.AppAuthentication. The Azure Services Authentication library is used to automatically pick up connection information from the execution environment if possible, but you can override that feature by providing a connection string instead.
Any recommendations or pointers here? Thanks.
The documentation linked in the linked article (Announcing .NET 4.7.1 Tools for the Cloud) is out of date. There is no clientId and clientSecret properties on the AzureKeyVaultConfigBuilder class.
There is a connectionString property however. Details on how to build that connection string when running locally are in this article: Service-to-service authentication to Azure Key Vault using .NET.
This is the method that worked for me:
RunAs=App;AppId={AppId};TenantId={TenantId};AppKey={ClientSecret}
All three of these values (AppId, TenantId and AppKey) are available in the application's AD entry in Azure.