Menu
I am trying to connect from a net framework app to Azure App Configuration using a Managed Identity but have permission issues.
How I connect
options.Connect(new Uri("https://myconfigstore.azconfig.io"), new ManagedIdentityCredential(clientId));
I have tried all the various clientId, objectids and applicationId guids I can find using the portal but are always getting a bad request no matter when guid I call it with
Azure.Identity.CredentialUnavailableException: 'ManagedIdentityCredential authentication unavailable,
the requested identity has not been assigned to this resource.
Status: 400 (Bad Request)
If I create ManagedIdentityCredential without specifying an clientId I get this error
Azure.RequestFailedException: 'Service request failed.
Status: 403 (Forbidden)
I have granted my manage identity Azure App Configuration Data permission
Is this the clientId I should be using?
Update:
I have just tried to use the Id of my active directory (AAD --> Properties) and i get a
Azure.RequestFailedException: 'Service request failed.
Status: 403 (Forbidden)
That can only mean that I am using the wrong id because otherwise it should have returned 400 (Bad Request) like in the other error I see.
Full code
private static async Task Main()
{
var builder = new ConfigurationBuilder();
const string clientId = "e589d9f1-xxxx-xxxx-xxxx-6bc940d50ab7";
builder.AddAzureAppConfiguration(options =>
{
options.Connect(new Uri("https://myconfigstore.azconfig.io"), new ManagedIdentityCredential(clientId));
});
_configuration = builder.Build();
Console.WriteLine("Number of keys: " + _configuration.GetChildren().Count());
Console.WriteLine("Demo: " + _configuration["Demo"]);
}
821
If you're using an Azure AD app registration to authenticate a client app, the second possible solution is to verify that the app registration has permissions configured for the Azure Digital Twins service. If these aren't configured, set them up.
In the upper-left corner of the home page, select Create a resource. In the Search services and marketplace box, enter App Configuration and select Enter . Select App Configuration from the search results, and then select Create. Select the Azure subscription that you want to use to test App Configuration.
Make sure the managed identity is granted either App Configuration Data Reader or App Configuration Data Owner role in the access control of your App Configuration instance. Wait for at least 15 minutes after the role assignment for the permission to propagate. Managed identity can ONLY work when your code is running in the Azure service.
To set up a managed identity in the portal, you first create an application and then enable the feature. Access your App Services resource in the Azure portal. If you don't have an existing App Services resource to work with, create one.
You only need to provide the client Id when you use user assigned managed identity. Make sure the managed identity is granted either App Configuration Data Reader or App Configuration Data Owner role in the access control of your App Configuration instance. Wait for at least 15 minutes after the role assignment for the permission to propagate.
To deploy the .NET Core app that you created in the Create an ASP.NET Core app with App Configurationquickstart and modified to use managed identities, follow the guidance in Publish your web app. In addition to App Service, many other Azure services support managed identities.
This document demonstrates how to use managed identity to access App Configuration from App Service, but you can replace the App Service with any other Azure services that support managed identity. https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity
Here are a few things I'd like to call out
112
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
