Search code examples
azureazure-keyvaultazure-managed-identitydefaultazurecredential

Api-version must be specified when using azure keyvault SecretClient .net sdk

I am trying to set a secret in azure keyvault using managed identity. There are two problems which I am facing right now. Hope someone can help me with it.

Code:

 var client = new SecretClient(new Uri("keyvaulturl"),
              new DefaultAzureCredential(new DefaultAzureCredentialOptions()
              { ExcludeManagedIdentityCredential = true }));

            await client.SetSecretAsync(new KeyVaultSecret(keyName, 
                               serializer.SerializeObject(someobject)));

Problem 1:

DefaultAzureCrendetialOption is not working for managed identity but when I am setting ExcludeManagedIdentityCredential to true it is able to fallback to the next authentication provider (must be azure cli). I am not sure why this is happening because couple of days before the same code was working and I was able to set and retrieve keyvault secrets using the same code.(ofcourse without using any DefaultAzureCredentialOptions parameters).

Please note this problem only happens in my local env and managed identity works fine when deployed in azure.

Problem 2:

When setting ExcludeManagedIdentityCredential to true for local development, I started seeing another problem where it is giving me error that api-version is missing. I dont understand why and where do I need to specify the api version when using azure .net sdk.

Error:

Service request failed. Status: 400 (Bad Request)

Content: {"error":{"code":"BadParameter","message":"api-version must be specified"}}

Solution

  • Problem 1:

    Managed Identity cannot be used to authenticate locally-running applications by design. Try to read the Important tip in the document.

    Managed Identity cannot be used to authenticate locally-running applications. Your application must be deployed to an Azure service that supports Managed Identity.

    Problem 2:

    Please change the version of Azure Key Vault secret client library with the latest varsion.

    dotnet add package Azure.Security.KeyVault.Secrets

    I tried DefaultAzureCredential with environment variables in my local.

    enter image description here

    string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME");

var kvUri = "https://" + keyVaultName + ".vault.azure.net";

var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
KeyVaultSecret secret = new KeyVaultSecret("testdefault", "123456");
KeyVaultSecret result = await client.SetSecretAsync(secret);

Console.WriteLine(result.Name);

    enter image description here