Search code examples
c#azureasp.net-web-apiazure-keyvaultdotnet-aspire

Retrieve Secret from Azure Key Vault fails in .NET Aspire, but works with curl


I have a .NET Aspire application that uses dapr. I'm currently trying to get the Secret out of the Azure Key Vault using the YAML configuration. Retrieving the secret in ASP.NET Aspire fails for the servicebus, but the keyvault.yaml seems to work, since retrieving the secret with
curl http://localhost:49688/v1.0/secrets/azurekeyvault/some-servicebus-connectionstring retrieves the secret.

However, the servicebus.yaml doesn't properly retrieve the secret. What am I doing wrong?

keyvault.yaml

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: azurekeyvault
spec:
  type: secretstores.azure.keyvault
  metadata:
  - name: vaultName
    value: some-kv2-we-dev
  - name: azureClientId
    value: c6911f11-237e-44ad-a704-c8243067a0b1

servicebus.yaml

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: servicebus-pubsub
  namespace: default
spec:
  type: pubsub.azure.servicebus
  version: v1
  metadata:
  - name: connectionString
   secretKeyRef:
      name: some-servicebus-connectionstring
      key: some-servicebus-connectionstring
  - name: topic
    value: "some-topic"
  - name: subscriptionName
    value: "some-subscription"
auth:
    secretStore: azurekeyvault

Solution

  • servicebus.yaml configuration has a potential issue with indentation and possibly with the key field in secretKeyRef.

    • keyvault.yaml seems fine if it reflects the actual Key Vault setup. No changes are needed here unless there's an issue with the vaultName or azureClientId.

    servicebus.yaml:

    apiVersion: dapr.io/v1alpha1
    kind: Component
    metadata:
      name: servicebus-pubsub
      namespace: default
    spec:
      type: pubsub.azure.servicebus
      version: v1
      metadata:
      - name: connectionString
        secretKeyRef:
          name: some-servicebus-connectionstring # This should match the secret name in Key Vault
          key: some-servicebus-connectionstring # Optional if key matches the name in Key Vault
      - name: topic
        value: "some-topic"
      - name: subscriptionName
        value: "some-subscription"
    auth:
      secretStore: azurekeyvault
    
    • Assign the Get secret permission to the service principal or managed identity in Azure Key Vault.

    enter image description here

    • Use a compatible Dapr runtime version (e.g., >=1.5.0) that supports secretKeyRef and Azure Key Vault integration.

    Running successfully:

    enter image description here