Error (Azure Key Vault) is configured for use by Azure Active Directory users only
Full Error: Microsoft.Extensions.Configuration.AzureAppConfiguration.KeyVaultReferenceException: SharedTokenCacheCredential authentication failed: AADSTS9002332: Application 'cfa8b339-82a2-471a-a3c9-0fc0be7a4093'(Azure Key Vault) is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request. Trace ID: a4b9a7c9-8eb4-48ff-8871-8a63d69b1400 (Azure Key Vault) is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request.
I am walking through the example at this Microsoft Doc page: https://learn.microsoft.com/en-us/azure/azure-app-configuration/use-key-vault-references-dotnet-core?tabs=powershell%2Ccore3x
No errors on build, but when I launch the site on localhost, I get the above error.
Here is the code in the Program.cs file:
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.UseSerilog()
.ConfigureWebHostDefaults(webBuilder =>
webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
{
var settings = config.Build();
config.AddAzureAppConfiguration(options =>
{
options.Connect(settings["ConnectionStrings:AppConfig"])
.ConfigureKeyVault(kv =>
{
kv.SetCredential(new DefaultAzureCredential());
});
});
})
.UseStartup<Startup>());
// See: https://github.com/MicrosoftDocs/azure-docs/issues/71592
Can anyone tell me what to try next?
See: https://github.com/MicrosoftDocs/azure-docs/issues/71592
If you want to access Azure key vault, please refer to the following steps
- Create service principal
az ad sp create-for-rbac -n "http://mySP" --sdk-auth
- Set access policy in azure keyvault
az keyvault set-policy -n <your-unique-keyvault-name> --spn <clientId-of-your-service-principal> --secret-permissions delete get list set --key-permissions create decrypt delete encrypt get list unwrapKey wrapKey --secret-permissions backup delete get list purge recover restore set
- Code
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureWebHostDefaults(webBuilder =>
webBuilder.ConfigureAppConfiguration((hostingContext, config) =>
{
var settings = config.Build();
config.AddAzureAppConfiguration(options =>
{
options.Connect(settings["ConnectionStrings:AppConfig"])
.ConfigureKeyVault(kv =>
{
var cert = new ClientSecretCredential("<tenant id>", "client id", "client secret");
kv.SetCredential(cert);
});
});
})
.UseStartup<Startup>());
Besides, if you run the application with VS 2019, you can use the extension Azure Service Authentication. But you need to use one work account in the tenant to login and configure right access policy for the account in the key vault. For more details, please refer to here
- How to connect secrets value stored in Azure key vault to Azure app service env variables directly
- AKV10032: Invalid issuer error when connecting to Azure Key Vault from App Service
- How to add new access policy to Azure key vault without deleting all existing access policies. Using Azure SDK for .net Azure.ResourceManager.KeyVault
- A keyvault created with access policy using BICEP creates compound identity
- Diagnostic setting not included in Azure Portal ARM template export
- AddDataProtection().PersistKeysToAzureBlobStorage().ProtectKeysWithAzureKeyVault() getting httpVerb Error while accessing the blob storage
- Azure Key Vault Disabled public access, how to access it through the portal via internet
- is it posible to access Azure App Configuration via URL or conected some how as enviroment setting of App Service?
- Encryption with Azure Key Vault CryptographyClient - where is encrypt/decrypt happenning? my backend or Azure server side
- Grant Azure Devops ARM Service Connection access to Key Vault
- Adding ARM template for virualNetworkRules for key vault
- How to access Azure Key Vault secrets as *configuration values transparently* in a ASP.NET Core Web App which is deployed to Azure App Services?
- How can we get tenant id, client id and client secret for Azure Function App?
- How to activate Managed HSM and configure encryption with customer-managed keys stored in Azure Key Vault Managed HSM using Terraform
- Mock EncryptAsync method and return EncryptResult from Azure.Security.KeyVault.Keys.Cryptography
- Is it possible to use an Azure KeyVault with RBAC on an Azure Pipeline Agent?
- VB.NET Error after calling Dim secret = Await client.GetSecretAsync
- How to Set Separate Database Connection Strings for Azure App Service Deployment Slots
- Create an API Connection to Azure KeyVault using Service Principal Authentication through ARM template
- Azure SQL database not available on first connection attempt
- Azure KeyVault: Azure.Identity.CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token from the included credentials
- Azure DevOps Pipeline Error: Password Not an Integer in snowsql Command
- Unable to Retrieve Multiple Secrets from Azure Key Vault in Azure DevOps Pipeline
- How can I retrieve the KeyVault URIs from Azure AppConfig in C# without retrieving the Secret Value?
- Azure KeyVault Certificate with non-exportable key can still export the key through KeyVault Secret
- How to use properly Azure app configuration with key vault reference in a function app?
- Unable to set access policy to key vault for an application in Azure CLI
- The cost of a deleted Azure Key Vault with Purge Protection enabled
- Azure Key Vault Certificates does not have the Private Key when retrieved via IKeyVaultClient.GetCertificateAsync
- Terraform - How to get App Service object id for azurerm key vault access policy?