Search code examples
azure-keyvaultazure-app-configuration

Error (Azure Key Vault) is configured for use by Azure Active Directory users only

Full Error: Microsoft.Extensions.Configuration.AzureAppConfiguration.KeyVaultReferenceException: SharedTokenCacheCredential authentication failed: AADSTS9002332: Application 'cfa8b339-82a2-471a-a3c9-0fc0be7a4093'(Azure Key Vault) is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request. Trace ID: a4b9a7c9-8eb4-48ff-8871-8a63d69b1400 (Azure Key Vault) is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request.

I am walking through the example at this Microsoft Doc page: https://learn.microsoft.com/en-us/azure/azure-app-configuration/use-key-vault-references-dotnet-core?tabs=powershell%2Ccore3x

No errors on build, but when I launch the site on localhost, I get the above error.

Here is the code in the Program.cs file:

  public static IHostBuilder CreateHostBuilder(string[] args) =>
            Host.CreateDefaultBuilder(args)

                .UseSerilog()
                .ConfigureWebHostDefaults(webBuilder =>
            webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
            {
                var settings = config.Build();

                config.AddAzureAppConfiguration(options =>
                {
                    options.Connect(settings["ConnectionStrings:AppConfig"])
                            .ConfigureKeyVault(kv =>
                            {
                                kv.SetCredential(new DefaultAzureCredential());
                            });
                });
            })
            .UseStartup<Startup>());
        // See: https://github.com/MicrosoftDocs/azure-docs/issues/71592

Can anyone tell me what to try next?

See: https://github.com/MicrosoftDocs/azure-docs/issues/71592

Solution

  • If you want to access Azure key vault, please refer to the following steps

    1. Create service principal
    az ad sp create-for-rbac -n "http://mySP" --sdk-auth
    1. Set access policy in azure keyvault
    az keyvault set-policy -n <your-unique-keyvault-name> --spn <clientId-of-your-service-principal> --secret-permissions delete get list set --key-permissions create decrypt delete encrypt get list unwrapKey wrapKey --secret-permissions backup delete get list purge recover restore set
    1. Code
    public static IHostBuilder CreateHostBuilder(string[] args) =>
             Host.CreateDefaultBuilder(args)
             .ConfigureWebHostDefaults(webBuilder =>
             webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
             {
                 var settings = config.Build();

                 config.AddAzureAppConfiguration(options =>
                 {
                     options.Connect(settings["ConnectionStrings:AppConfig"])
                             .ConfigureKeyVault(kv =>
                             {
                                 var cert = new ClientSecretCredential("<tenant id>", "client id", "client secret");
                                 kv.SetCredential(cert);
                             });
                 });
             })
             .UseStartup<Startup>());

    enter image description here

    Besides, if you run the application with VS 2019, you can use the extension Azure Service Authentication. But you need to use one work account in the tenant to login and configure right access policy for the account in the key vault. For more details, please refer to here