How can I Get Started Using Certificates to Authenticate my APIs Using Azure Key Vault?
We have several internal APIs that we are needing to expose externally for various reasons. I have been tasked with securing those APIs externally.
What I would like to do is follow Microsoft's recommendation for using certificates for authentication. I have setup internal CAs for our load balanced servers and am using those to distribute certificates to applications, which are then being authenticated via app registration in Azure.
The problem I am encountering is securing and cycling these certificates. For example, in one case I have an API I am exposing externally so that it can be used by a mobile app. This app will be distributed to phones, so I don't want to include the certificate in the package (for both security and cycling certificates).
My potential solution is Azure Key Vault, which I can use to both secure and cycle the certificates. My problem is, I don't understand how I am supposed to authenticate to key vault. The recommendation is the use certificates, but then I have more certificates I will need to secure and cycle (which I can't store in Key Vault because I need them to access Key Vault). Another recommendation I saw was to create app service as an intermediary between my app and key vault, but again it was recommended that I use a client secret or certificate to authenticate to that new app (which creates the same problem).
So, how am I supposed to authenticate to Azure Key Vault without creating new certificates that I need to secure and cycle using Azure Key Vault?
Note: Managed Identity can be used to authenticate services (like APIs or applications) to Azure Key Vault. Managed Identity allows you to avoid managing certificates or secrets for authentication.
- Managed identity will automatically authenticate to Azure resources (like Key Vault) without needing any additional credentials or certificates.
- You can enable the managed identity in Azure App service and call Azure key vault. Refer this SO Thread by me.
Enable Managed Identity in your Azure App Service and grant it Get/List permissions in Key Vault. Use the Azure SDK to authenticate and access certificates in your app.
var credential = new DefaultAzureCredential();
var client = new SecretClient(new Uri("https://<your-keyvault-name>.vault.azure.net/"), credential);
KeyVaultCertificate certificate = client.GetCertificate("<certificate-name>");
Otherwise, you can make use of app registration and make use of client secret:
For sample, I generated access token:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id: ClientID
client_secret: XXX
scope: https://vault.azure.net/.default
grant_type: client_credentials
By using the above access token, you can call and access Key vault.
Reference:
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?
- Update VCore by database in power shell
- While scanning a simple key, could not find expected ':'. Syntax error in azure-pipeline.yaml
- I'm not able to call the Azure document intelligence api using the latest api version "2024-02-29-preview"
- AzureWebJobsStorage Managed Identity not working
- Get-RemoteDomain in powershell exchange online error : The term 'Get-RemoteDomain' is not recognized as the name of a cmdlet
- How can I Get Started Using Certificates to Authenticate my APIs Using Azure Key Vault?
- Azure Storage blob getting the io.netty.channel.StacklessClosedChannelException while generating /downloading the from SasUrl
- How to set up a site-to-site connection between Azure VNet and an on-premises network with a single IP address for traffic selectors?
- Summarization of docx or pdf document
- Unable to use Azure Developer CLI (azd) in vsCode even after extensions installed
- How to configure backend application on Container Apps
- WebJob is stopping due to website shutting down
- Azure SQL trigger for Functions configuration problem
- Does azure blob storage support http2?
- Azure Pronunciation Assessment Could not deserialize speech context error
- Is there a query to run so I can get a list of users who has NOT logged in, in the past 30 days?
- How do I Parse FormData containing a audio file in AZ function app in 2025
- Not able to delete Public IP address in azure
- Azure Devops Apple App Store Release.Missing value for the attribute 'whatsNew'
- Azure Storage accounts container public access level has dissabled
- Issue with adding delegated Graph API permission to Enterprise app with Terraform
- Getting an error when using the Flexible File Destination Task in Visual Studio 2022 SSIS
- Problem with Azure Email Communication Service Custom Domain
- How to refresh client assertion in ConfidentialClientApplication?
- Using Microsoft Graph Explorer (we have code too) we can GET All Subscriptions, but GET one by ID gives access error
- Invalid operands found for operator -eq
- nginx - php-fpm - azure container app returns truncated pages
- Adding custom headers to Azure Functions response