Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How do I access Azure Key Vault using user credentials?

I'm trying to write a simple application to access Azure KeyVault using my own, domain joined credentials. I don't know if it's the credentials part or how I'm accessing KeyVault, but I keep getting an "Invalid URI: The format of the URI could not be determined" exception. I am able to access KeyVault using Azure PowerShell cmdlets, but not using C#.

Here's the code I have:

class Program
{
    const string ClientId = "MY AAD CLIENT ID";

    static void Main(string[] args)
    {
        Console.WriteLine("Hello, KeyVault!");
        var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken));
        var secret = client.GetSecretAsync("vaultName", "secretName").Result; // Throws Invalid URI: The format of the URI could not be determined
        Console.WriteLine(secret.Value);
        Console.ReadLine();
    }

    private static async Task<string> GetAccessToken(string authority, string resource, string scope)
    {
        var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
        var authResult = await context.AcquireTokenAsync(resource, ClientId, new UserCredential());
        return authResult.AccessToken;
    }
}

What could be causing this? I've scoured the internet and haven't found any sample code showing how to access KeyVault this way.

like image 436
Bonz0 Avatar asked Apr 27 '16 17:04

Bonz0


People also ask

How do I access Azure key vault?

To access Azure Key Vault, you'll need an Azure subscription. If you don't already have a subscription, create a free account before you begin. All access to secrets takes place through Azure Key Vault. For this quickstart, create a key vault using Azure portal, Azure CLI, or Azure PowerShell.

How do I use Azure credentials?

Create a new credential asset with the Azure portalOn the Credentials page, select Add a credential. In the New Credential pane, enter an appropriate credential name following your naming standards. Type your access ID in the User name field. For both password fields, enter your secret access key.


2 Answers

As @varun-puranik said, you need t specify the vaultBaseUrl rather than the vault name.

There is new nuget package that allow to connect to Azure Keyvault without specifying the Azure Active Directory Client Id.
This approach works when you're using a managed identity

  • Microsoft.Azure.Services.AppAuthentication

You also need to install the Microsoft.Azure.KeyVault nuget package.

using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;

...

var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
     new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync(
    "https://{{my-vault-name}}.vault.azure.net/", "{{my-secret}}");
like image 85
Thomas Avatar answered Sep 21 '22 04:09

Thomas


The VaultName needs to be the URL to the KeyVault, not just the name of the Vault. For example, if the name of your KeyVault is TestKeyVault, then you need to use the following code -

var secret = client.GetSecretAsync("https://testkeyvault.vault.azure.net:443", "secretName").Result;

Rest of your code looks fine.

like image 44
Varun Puranik Avatar answered Sep 21 '22 04:09

Varun Puranik