Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Connection to Azure Vault using MSI

Tags:

c

.net

azure

azure-security

shared-secret

I am trying to connect to my azure vault from a console application with using MSI

For this vault i have added my user as the Selected Principle
the code i am using to connect is 

var azureServiceTokenProvider = new AzureServiceTokenProvider();

var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

var secret = await keyVaultClient.GetSecretAsync("https://<vaultname>.vault.azure.net/secrets/<SecretName>").ConfigureAwait(false);

I get the following exception

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority

enter image description here

like image 970
MicroMan Avatar asked Feb 28 '18 10:02

MicroMan

1 Answers

  1. Enable Managed Service Identity in the Configuration blade under your virtual machine.

Enable MSI in the virtual machine configuration blade

  1. Search for NameOfYourVM service principal and add it to your Key Vault under Access Policies. Add key/secret/certificate permissions.

Add Service Principal to Key Vault

  1. On your Azure VM, run the console app.
class Program
{
    // Target C# 7.1+ in your .csproj for async Main
    static async Task Main()
    {
        var azureServiceTokenProvider = new AzureServiceTokenProvider();

        var keyVaultClient = new KeyVaultClient(
              new KeyVaultClient.AuthenticationCallback(
                    azureServiceTokenProvider.KeyVaultTokenCallback));

        var secret = await keyVaultClient.GetSecretAsync(
              "https://VAULT-NAME.vault.azure.net/secrets/SECRET-NAME");

        Console.WriteLine(secret.Value);
        Console.ReadLine();
    }
}

Console output

To run locally, create your very own Azure AD application registration (Web App/Web API type to make it a confidential client), add it to Key Vault and use its client_id and client_secret when acquiring the access token —
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application#gettoken

As Varun mentioned in the comments, there's now a better way to get an access token when running locally without exposing a service principal —

https://docs.microsoft.com/en-us/azure/key-vault/service-to-service-authentication#local-development-authentication

like image 185
evilSnobu Avatar answered Oct 18 '22 14:10

evilSnobu
Sign in to Comment

Related questions

How to print out a slash (/ or \) in C?
What is the performance difference between gawk and ....? [closed]
Program without semicolon compiles fine in C not in C++ why?
Is a struct {...}; a type or an unnamed variable?
what defines a recursive function?
Does fork() duplicate all the memory of the parent?
C union - please explain
Understand comma operator
Dynamically Find the Edge of a Rectangle
How to use fgets properly in a structure?
C Relational Operator Output
Do macros in C++ improve performance?
C turning char arrays into int behaving weird
error C2036: 'void *' : unknown size
Multiple locks with mutex and the possibility of a deadlock
ARM Neon: How to convert from uint8x16_t to uint8x8x2_t?
Why does the makefile insist on compiling things it should not?
c/linux infinite loop application: deallocate memory if kill -9 command is called
Re-declaring variable inside for loop in C
pipeline echo to gcc?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!