Configuring default azure credentials

Question

I am using Azure key vaults for storing some data and I want to use DefaultAzureCredentialOptions() options to tell my code which options to exclude and which ones not to.

When I test it in Development with VisualStudioCredentials it works perfectly. But since this option will no be used in production, I made some research to see which options I might need when I host my application in IIS in a virtual machine.

I found out that I only need ManagedIdentityCredential and eventually if it doesn't work I tried to include the AzurePowerShellCredential, AzureCliCredential, SharedTokenCacheCredential and EnvironmentCredential.

Even if I included these options when I try to run my application I get error 500.

My code is like this:

var credentialOptions = new DefaultAzureCredentialOptions();

if (builder.Environment.IsDevelopment())
{

credentialOptions.ExcludeInteractiveBrowserCredential = true;
credentialOptions.ExcludeAzurePowerShellCredential = true;
credentialOptions.ExcludeManagedIdentityCredential = true;
credentialOptions.ExcludeVisualStudioCredential = false;
credentialOptions.ExcludeVisualStudioCodeCredential = true; 
credentialOptions.ExcludeAzureCliCredential = true; 
credentialOptions.ExcludeSharedTokenCacheCredential = true; 
credentialOptions.ExcludeEnvironmentCredential = true;

}
else
{
credentialOptions.ExcludeManagedIdentityCredential = false;
credentialOptions.ExcludeInteractiveBrowserCredential = true;
credentialOptions.ExcludeAzurePowerShellCredential = false;
credentialOptions.ExcludeVisualStudioCredential = true;  
credentialOptions.ExcludeVisualStudioCodeCredential = true; 
credentialOptions.ExcludeAzureCliCredential = false; 
credentialOptions.ExcludeSharedTokenCacheCredential = false; 
credentialOptions.ExcludeEnvironmentCredential = false;
}


builder.Configuration.AddAzureKeyVault(
new Uri(builder.Configuration["KVS"]),
new DefaultAzureCredential(credentialOptions));

Previously my code allowed everything, in the development and in the production but of course id took some time while trying many credentials, failing and trying the other one. So I thought checking the environment first and then giving the proper credentials it will work but I am facing the error 500 problem...

Answer 1

Initially I got the below error with your code.

Unhandled exception. Azure.RequestFailedException: The user, group or application 'appid=****;oid=****;iss=https://sts.windows.net/****/' does not have secrets list permission on key vault 'KVAug22;location=eastus'. For help resolving this issue

• As you have set ManagedIdentityCredential as a first option for the Production, you need to give permission for the deployed app to access the Key Vault.

• Enable Managed Identity for the Azure App Service.

• In KeyVault => Access policies, create a new policy and set the managed Identity (name is same as WebApp).

My Program.cs file:

builder.Configuration.AddAzureKeyVault(
      new Uri($"https://{builder.Configuration["KeyVaultName"]}.vault.azure.net/"),
      new DefaultAzureCredential(credentialOptions));

var secretClient = new SecretClient(keyVaultUri, new DefaultAzureCredential(credentialOptions));
KeyVaultSecret secret = secretClient.GetSecret("SampleKey");
Console.WriteLine($"Secret value: {secret.Value}");

• Now I am able to get the secrets from the deployed Azure App Service.