I am trying to access AzureKeyVaults from my .NET Framework application that is deployed on AppService. It generally works, but when I dump AppService logs, then the following exception occurs once per a few hours:
<Data>TargetInvocationException</Data><Data>Exception has been thrown by the target of an invocation.
at System.RuntimeMethodHandle.InvokeMethod(Object target, Object[] arguments, Signature sig, Boolean constructor)
at System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(Object obj, Object[] parameters, Object[] arguments)
at System.Reflection.RuntimeMethodInfo.Invoke(Object obj, BindingFlags invokeAttr, Binder binder, Object[] parameters, CultureInfo culture)
at Owin.Loader.DefaultLoader.<>c__DisplayClass19_1.<MakeDelegate>b__0(IAppBuilder builder)
at Owin.Loader.DefaultLoader.<>c__DisplayClass9_0.<LoadImplementation>b__0(IAppBuilder builder)
at Microsoft.Owin.Host.SystemWeb.OwinAppContext.Initialize(Action`1 startup)
at Microsoft.Owin.Host.SystemWeb.OwinBuilder.Build(Action`1 startup)
at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.InitializeBlueprint()
at System.Threading.LazyInitializer.EnsureInitializedCore[T](T& target, Boolean& initialized, Object& syncLock, Func`1 valueFactory)
at Microsoft.Owin.Host.SystemWeb.OwinHttpModule.Init(HttpApplication context)
at System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers)
at System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context)
at System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context)
at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
Parameters: Connection String: RunAs=App;, Resource: https://vault.azure.net, Authority: https://login.windows.net/###obfuscated_guid###. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. An error occurred while sending the request.
Here there is my code that causes this:
var azureServiceTokenProvider = new AzureServiceTokenProvider("RunAs=App;");
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
keyVaults.ForEach(keyVault => configurationBuilder.AddAzureKeyVault(
$"https://{keyVault}.vault.azure.net/",
keyVaultClient,
new DefaultKeyVaultSecretManager()));
There are two key vaults that I am trying to load this way. Both have configured access policies that allow my AppService to call them (Get and List permissions on Secrets). I've also enabled "System assigned Identity" for my AppService.
By any chance do you have any recommendations on how to solve this issue? Thanks in advance!
Thanks everybody for your comments,
The answer was much more trivial than I expected. I added preprod slots to the AppService and I assumed that the configuration along with managed identity configuration is automatically copied. Unfortunately it is not.
Adding managed identity to preprod slot and adding preprod slot to Policies in KeyVault solved the issue.