I am creating an asp.net core web app and within Visual studio I don't have any issue on below code while I am trying to fetch azure key vault using managed identity.
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, config) =>
{
config.AddAzureKeyVault(new AzureKeyVaultConfigurationOptions
{
Vault = "https://testvaultXYZ.vault.azure.net/",
Client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(new AzureServiceTokenProvider().KeyVaultTokenCallback)),
});
})
.ConfigureWebHostDefaults(webBuilder =>
{
webBuilder.UseStartup<Startup>();
});
Now I make this application to run in docker/container now when I am running this application in local container I am getting below error for above code,
Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: 'Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxxxx. Exception Message: Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxx. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxxx. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/xxxxxxxxxxxx. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. /bin/bash: az: No such file or directory
I understand that user is different while running in docker container. What's the solution here?
I saw some solution to get access token using below command,
$Env:ACCESS_TOKEN=(az account get-access-token --resource=https://testvaultXYZ.vault.azure.net | ConvertFrom-Json).accessToken
but here also getting error like,
Get Token request returned http error: 400 and server response: {"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://testvaultXYZ.vault.azure.net was not found in the tenant named XXXXXXX. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant.
It should be: az account get-access-token --resource=https://vault.azure.net. Then you get the access token you can use :) This is working for me.