I'm trying to write a simple application to access Azure KeyVault using my own, domain joined credentials. I don't know if it's the credentials part or how I'm accessing KeyVault, but I keep getting an "Invalid URI: The format of the URI could not be determined" exception. I am able to access KeyVault using Azure PowerShell cmdlets, but not using C#.
Here's the code I have:
class Program
{
const string ClientId = "MY AAD CLIENT ID";
static void Main(string[] args)
{
Console.WriteLine("Hello, KeyVault!");
var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken));
var secret = client.GetSecretAsync("vaultName", "secretName").Result; // Throws Invalid URI: The format of the URI could not be determined
Console.WriteLine(secret.Value);
Console.ReadLine();
}
private static async Task<string> GetAccessToken(string authority, string resource, string scope)
{
var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
var authResult = await context.AcquireTokenAsync(resource, ClientId, new UserCredential());
return authResult.AccessToken;
}
}
What could be causing this? I've scoured the internet and haven't found any sample code showing how to access KeyVault this way.
To access Azure Key Vault, you'll need an Azure subscription. If you don't already have a subscription, create a free account before you begin. All access to secrets takes place through Azure Key Vault. For this quickstart, create a key vault using Azure portal, Azure CLI, or Azure PowerShell.
Create a new credential asset with the Azure portalOn the Credentials page, select Add a credential. In the New Credential pane, enter an appropriate credential name following your naming standards. Type your access ID in the User name field. For both password fields, enter your secret access key.
As @varun-puranik said, you need t specify the vaultBaseUrl
rather than the vault name.
There is new nuget package that allow to connect to Azure Keyvault without specifying the Azure Active Directory Client Id.
This approach works when you're using a managed identity
You also need to install the Microsoft.Azure.KeyVault nuget package.
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
...
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync(
"https://{{my-vault-name}}.vault.azure.net/", "{{my-secret}}");
The VaultName needs to be the URL to the KeyVault, not just the name of the Vault. For example, if the name of your KeyVault is TestKeyVault, then you need to use the following code -
var secret = client.GetSecretAsync("https://testkeyvault.vault.azure.net:443", "secretName").Result;
Rest of your code looks fine.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With