Using ASP.NET Core 2.2 I'm trying to configure data protection such that I store the keyring in Azure Blob Storage and protect the keyring with a key stored in KeyVault.
In my ConfigureServices() method I have:
public void ConfigureServices(IServiceCollection services)
{
services.AddDataProtection()
.PersistKeysToAzureBlobStorage(new Uri("myblob-sasuri"))
.ProtectKeysWithAzureKeyVault(keyVaultClient, "key-identifier-uri");
}
All looks good, but I am confounded with Forbidden errors in accessing the keyvault. I can't figure out if I have somehow screwed up the key identifier (doubtful) or the keyVaultClient, or the permissions.
I suspect permissions, but nowhere do the docs tell me what permissions the client needs.
Anyone made this work successfully?
Through experimentation I have learned that the KeyVault access policy must have the "Unwrap Key" permission enabled in the Cryptographic Operations section of Key Permissions. So, the service principal you grant access to the KeyVault must be granted that one specific permission in your access policies. We ran into problems because we had not enabled that, we had just Encrypt and Decrypt permissions enabled. This should be documented, I added feedback to the doc here: https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-2.2