Azure Managed Identity from within a docker container running locally

Question

I am running a docker container consisting of a asp.net core 2.2 api. This api needs access to Azure key vault and I have signed in into Visual studio with a user that has the right access policies on the Key Vault to retrieve secrets. However, when I use visual studio tools for docker to debug the container, this particular sign in does not seem to propogate inside the container running locally. But when i run the application locally(without running it in docker container) the asp net core configuration provider seems to pick up my visual studio login. Any pointers on this is helpful

Answer 1

I read this post ~ month ago. I was looking for answer on the similar question. I found that Docker can run Kubernetes and there is AAD-Pod-Identity https://github.com/Azure/aad-pod-identity which doesn't work for Docker Kubernetes. I forked their repository and make modification for mic component. Now it works for Docker Kubernetes, not sure whether Azure team has plans get these modifications on board or not.

You can get detailed instructions how to get things running here: https://github.com/Wallsmedia/aad-pod-identity

Answer 2

I had the same problem with docker and MSI on my mac. I ended up doing the following workaround:

First get an access token from CLI and set it to environment (and remember pass it to docker)

export ACCESS_TOKEN=$(az account get-access-token --resource=https://vault.azure.net | jq -r .accessToken)

In the code, pick it up if token is in environment:

KeyVaultClient keyVaultClient;
var accessToken = Environment.GetEnvironmentVariable("ACCESS_TOKEN");
if (accessToken!=null)
{
   keyVaultClient = new KeyVaultClient(
       async (string a, string r, string s)=> accessToken);
}
else
{
   var azureServiceTokenProvider = new AzureServiceTokenProvider();
   keyVaultClient = new KeyVaultClient(
      new KeyVaultClient.AuthenticationCallback(
          azureServiceTokenProvider.KeyVaultTokenCallback));
}