Configuration Error Azure Key Vault as a Visual Studio Connected Service ConfigurationBuilder

Question

I am trying to wire up Azure Key Vault in my ASP.NET (.Net Framework) MVC Web App using Visual Studio 2017 Community 15.7.5 Connected Service targeting .Net 4.7.2.

It adds a configBuilder with the name AzureKeyVault with an attribute called vaultName that throws a "The 'vaultName' attribute is not allowed." warning.

When I run the application I get an error that the configBuilders attribute on the appsetting tag is not good like so:

I am using the following package versions which are all current:

  <package id="Microsoft.Azure.KeyVault" version="3.0.0" targetFramework="net472" />
  <package id="Microsoft.Azure.KeyVault.WebKey" version="3.0.0" targetFramework="net472" />
  <package id="Microsoft.Azure.Services.AppAuthentication" version="1.0.3" targetFramework="net472" />

There is an update to Microsoft.Azure.Services.AppAuthentication but it is a preview and it caused dependency issues with other packages.

Answer 1

Steve Molloy was correct in that the Configuration Error was a red herring. I created a console app and the error messages were much better but they still required some investigation. Here's my Console App Code and packages:

static void Main(string[] args)
{
     var azureServiceTokenProvider = new AzureServiceTokenProvider
         (azureAdInstance:"https://InsertAADSubscriptionName.onmicrosoft.com/");
     var keyVaultClient = new KeyVaultClient(
         new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

     var secret = keyVaultClient.GetSecretAsync(
        "https://InsertKeyVaultName.vault.azure.net", "InsertSecretYouWantBack").GetAwaiter().GetResult();
}

<packages>
  <package id="Microsoft.Azure.KeyVault" version="3.0.0" targetFramework="net472" />
  <package id="Microsoft.Azure.KeyVault.WebKey" version="3.0.0" targetFramework="net472" />
  <package id="Microsoft.Azure.Services.AppAuthentication" version="1.0.3" targetFramework="net472" />
  <package id="Microsoft.IdentityModel.Clients.ActiveDirectory" version="3.19.8" targetFramework="net472" />
  <package id="Microsoft.Rest.ClientRuntime" version="2.3.13" targetFramework="net472" />
  <package id="Microsoft.Rest.ClientRuntime.Azure" version="3.3.15" targetFramework="net472" />
  <package id="Newtonsoft.Json" version="11.0.2" targetFramework="net472" />
</packages>

I put a breakpoint on the last bracket and kept looking for my secret value in the variable secret. I kept getting the following error indicating that Azure AD wasn't able to authenticate my local environment and return an access token.

Parameters: Connection String: [No connection string specified], 
Resource: https://vault.azure.net, 
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88. 
Exception Message: Tried the following 4 methods to get an access token, 
    but none of them worked.
Parameters: Connection String: [No connection string specified], 
Resource: https://vault.azure.net, 
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88. 

Exception Message: Tried to get token using Managed Service Identity. 
Unable to connect to the Managed Service Identity (MSI) endpoint.
Please check that you are running on an Azure resource that has MSI setup.

Parameters: Connection String: [No connection string specified], 
Resource: https://vault.azure.net, 
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88. 
Exception Message: Tried to get token using Visual Studio. 
Access token could not be acquired. 

Parameters: Connection String: [No connection string specified], 
Resource: https://vault.azure.net, 
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88.
Exception Message: Tried to get token using Azure CLI. Access token could 
not be acquired. ERROR: Please run 'az login' to setup account.

Parameters: Connection String: [No connection string specified],
Resource: https://vault.azure.net, 
Authority: https://login.windows.net/47c8ce10-a05d-4880-9e92-0c2d2c00dc88. 
Exception Message: Tried to get token using Active Directory Integrated 
Authentication. Access token could not be acquired. get_user_name_failed: 
Failed to get user nameInner Exception : No mapping between account names 
and security IDs was done

The problem was that since I was running the app locally I needed to be logged in to Azure CLI locally. To do this: first install Azure CLI on your machine, then go to a CMD or a PowerShell prompt and type az login and follow the instructions returned.

This did the trick; the console app was able to get an access token.

I tried it on my web app in the original question above and it worked as expected.

Answer 2

tldr; - you probably don't have the appropriate permissions to access the key vault.

In currently released versions of the .Net framework, detailed errors about config builders are not always easily discoverable in the ASP.NET yellow screen. We have changes in vNext to address this issue, but it is currently a problem for 4.7.1/2. For the time being, if you create a simple console app to read appSettings with the same config builder configuration, you should see more exception information in the stack that gets spit out.

Based on the yellow screen you posted though I would guess (and its really just an educated guess based on past reports and nothing specific in your case) you are running into an authentication issue in the Microsoft.Azure.Services.AppAuthentication library. When running in Visual Studio, that library can use your personal credentials to access the key vault. If deployed in Azure, they use a different magic technology to authenticate the application to the key vault. If you want to eliminate the "magic" and take more control over this, you can specify more detailed connection information with the 'connectionString' attribute. There is more information as well as a link to connection string details on our GitHub page (MicrosoftConfigurationBuilders).

As for the "The 'vaultName' attribute is not allowed." warning... it's just a warning. The .xsd that VS uses to validate configuration was not correctly updated to allow random attributes on configBuilder definitions. We hope to address this in a future VS release around the time that the next framework ships.