I have a C# ASP.NET Core application that runs in Azure and uses an Azure key vault. In my Program.cs I use AzureKeyVaultConfigurationExtensions.AddAzureKeyVault (from Azure.Extensions.AspNetCore.Configuration.Secrets version 1.2.1.0) to merge the Azure key vault secrets into my configuration:
public static IHostBuilder CreateHostBuilder(string[] args) =>
Host.CreateDefaultBuilder(args)
.ConfigureAppConfiguration((context, config) =>
{
var secretClient = new SecretClient(keyVaultUri, credential);
var options = new AzureKeyVaultConfigurationOptions { ReloadInterval = keyVaultReloadInterval };
config.AddAzureKeyVault(secretClient, options);
});
Recently I have noticed that my key vault is full of secrets whose names are GUIDs. I do not believe I or anyone else is creating these deliberately.
Moreover, I once got this error from one of the instances of my application in Azure:
{"error":{"code":"SecretNotFound","message":"A secret with (name/id) was not found in this key vault. If you recently deleted this secret you may be able to recover it using the correct recovery command. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125182"}}
According to the stack trace, this exception comes from the point where the application attempts to build the configuration.
at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)
at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync[TResult](RequestMethod method, Func`1 resultFactory, CancellationToken cancellationToken, String[] path)
at Azure.Security.KeyVault.Secrets.SecretClient.GetSecretAsync(String name, String version, CancellationToken cancellationToken)
at Azure.Extensions.AspNetCore.Configuration.Secrets.ParallelSecretLoader.GetSecret(String secretName)
at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.LoadAsync()
at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.Load()
at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList`1 providers)
at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build()
at Microsoft.Extensions.Hosting.HostBuilder.BuildAppConfiguration()
at Microsoft.Extensions.Hosting.HostBuilder.Build()
at Program.Main(String[] args) in C:\path\to\Program.cs:line 23
This suggests that the AzureKeyVaultConfigurationProvider creates and needs these GUIDs in the key vault. Does anyone know more exactly what it does? Is this documented?
Enable logging on your key vault. This will show the operations that were performed on the Key Vault and the service principal that performed them. This should be enough to tell you where they came from.