Search code examples
azure.net-coreazure-active-directoryazure-keyvaultazure-app-configuration

Access to Azure Key Vault reference value from App Configuration in development on local

I have come across with the Azure App Configuration service, with the ability to link secret from Azure KeyVault, by creating a new record with an option of Key Vault reference.

I have used Microsoft extension for App Configuration as described in Microsoft Doc

The Steps that have been done

  • Creating a service principle via CMD - ```az ad sp create-for-rbac -n "http://mySP" --sdk-auth
  • Given permission to the created service provider also via CMD - az keyvault set-policy -n <your-unique-keyvault-name> --spn <clientId-of-your-service-principal> --secret-permissions delete get list set --key-permissions create decrypt delete encrypt get list unwrapKey wrapKey

  • Set the client id & secret in environment variables

  • The method implementation 

        public static IHostBuilder CreateHostBuilder(string[] args) =>
                    Host.CreateDefaultBuilder(args)
                    .ConfigureWebHostDefaults(webBuilder =>
                     webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
                     {
                         var settings = config.Build();

                         config.AddAzureAppConfiguration(options =>
                         {
                             options.Connect(settings["ConnectionStrings:AppConfig"])
                                     .ConfigureKeyVault(kv =>
                                     {
                                         kv.SetCredential(new DefaultAzureCredential());
                                     });
                         });
                     })
                     .UseStartup<Startup>());
        }

The issue is started when I trying to fetch data from App Configuration that have at least one KV reference. I'm getting the following error(only in case of that, one KV reference is linked to the App Configuration)

Service request failed. Status: 401 (Unauthorized)

Content:

{"error":"invalid_client","error_description":"AADSTS7000215: Invalid client secret is provided.\r\nTrace ID: \r\nCorrelation ID: \r\nTimestamp: 2020-05-27 22:59:52Z","error_codes":[7000215],"timestamp":"2020-05-27 22:59:52Z","trace_id":"","correlation_id":"","error_uri":"https://login.microsoftonline.com/error?code=7000215"}

Headers:
Cache-Control: no-store, no-cache
Pragma: no-cache
Strict-Transport-Security: REDACTED
X-Content-Type-Options: REDACTED
x-ms-request-id: REDACTED
x-ms-ests-server: REDACTED
P3P: REDACTED
Set-Cookie: REDACTED
Date: Wed, 27 May 2020 22:59:51 GMT
Content-Type: application/json; charset=utf-8
Expires: -1
Content-Length: 471

Any help will much appreciate :) Thanks!

Solution

  • When using the DefaultAzureCredential, it will first try Managed Identity (recommended for services on Azure), and eventually a service principal that requires the following environment variables to be set for the process (both on your application service, as well as for local development - can be different, so long as the service principal ID has appropriate permissions):

    • AZURE_TENANT_ID : the tenant ID
    • AZURE_CLIENT_ID : the service principal ID
    • AZURE_CLIENT_SECRET : the service principal secret (password) you were shown only after creating the service principal

    You could also use the new preview of Azure.Identity which supports other authentication schemes more common and easier to use on development machines, such as the Azure CLI (az login), Visual Studio, and Visual Studio Code.