How to access Azure Keyvault from docker container running locally?

Question

I have a docker image containing an ASP.NET Core app that uses Azure Key vault to access things like connection strings. When I run the image locally, I get this error:

Unhandled Exception: Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/[guid]. Exception Message: Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/[guid]. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/[guid]. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set. Parameters: Connection String: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/[guid]. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. /bin/bash: az: No such file or directory 

From what I understand, it first tries to get the access token as a managed service identity. As it's not running in the Azure cloud, it can't do this and tries to get it through visual studio connected service. As this won't be on the docker image, it tries using the Azure CLI, but this isn't installed on the docker image.

So I need to install the Azure CLI into the docker image. How is this done, given that the base image of the Dockerfile is FROM microsoft/dotnet:2.1-aspnetcore-runtime?

Is this base image an Alpine OS image, so do I need to look at installing Azure CLI with Alpine?

Assuming I have Azure CLI installed, is there a way to access Key vault without storing any credentials in Dockerfile source code or passing them to the container through plain text?

More generally, what is the best approach here.

Answer 1

My current solution is to use an environment variable with the access token.

Get the key and store in environment variable (after you did an az login and set the correct subscription):

$Env:ACCESS_TOKEN=(az account get-access-token  --resource=https://vault.azure.net | ConvertFrom-Json).accessToken 

The we add that environment variable in Visual Studio:

Change the code to:

                config.AddEnvironmentVariables();                  KeyVaultClient keyVaultClient;                 var accessToken = Environment.GetEnvironmentVariable("ACCESS_TOKEN");                  if (accessToken != null)                 {                     keyVaultClient = new KeyVaultClient(                         async (string a, string r, string s) => accessToken);                 }                 else                 {                     var azureServiceTokenProvider = new AzureServiceTokenProvider();                     keyVaultClient = new KeyVaultClient(                        new KeyVaultClient.AuthenticationCallback(                            azureServiceTokenProvider.KeyVaultTokenCallback));                 }                  config.AddAzureKeyVault(                     $"https://{builtConfig["KeyVaultName"]}.vault.azure.net/",                     keyVaultClient,                     new DefaultKeyVaultSecretManager());