Is there any way to access Azure Key Vault without azure AD?

Question

I want to use azure key vault to store connection strings of console app which don't have azure ad authentication.

So, Is there any way to access Azure Key Vault without azure AD?

Answer 1

Unfortunately, you cannot access Azure Key Vault without Azure AD authentication for now.

Key vault client applications will need to access Azure Active Directory endpoints for authentication. The endpoint used depends on the Azure AD tenant configuration, the type of principal (user principal or service principal), and the type of account.

You can see more details about the Authentication of Azure Key Vault in this official document.

Also, if this is important to you, you can post you idea in this UserVoice Page. Azure Team will see it.

Answer 2

Not directly, no. Key Vault requires AAD authentication. You will need to have something/someone registered with AAD to retrieve secrets (your connection strings) from the Key Vault.

Do you specifically want to use Key Vault to store your connection strings or do you just want somewhere to keep them in Azure and aren't fixed on Azure Key Vault? If you aren't fixed on Key Vault, and aren't using it for anything else, maybe consider putting your connection strings in an Azure Storage Account? You could store the connection strings in an Azure Table, a file in an Azure Blob, or and Azure File, etc. Whatever works best for you - it'll still be encrypted at rest. https://learn.microsoft.com/en-us/azure/storage/

I'm guessing you don't want to go through authentication of the user, you'd just like to get to the connection strings. My answer is based on that assumption.

You'll still need something that acts as an intermediary for your console app. Something needs to authenticate within Azure to get to the connection strings. I'd suggest trying an https triggered Azure Function as a simple, lightweight way to do that. You can use function-level authorisation, in which you embed a function key in your native app's code. It uses that code in the GET call to the function endpoint to establish its authorisation to call the function. I found this link helpful when I did it: http://dontcodetired.com/blog/post/Azure-HTTP-Function-Authorization-with-Function-Keys

The function can then either:

a) give out a time-limited Shared Access Signature to your Storage Account where the connection strings are, if you favour that approach, https://learn.microsoft.com/en-us/azure/storage/common/storage-dotnet-shared-access-signature-part-1

OR

b) actually store the connection strings in a local file in the function directory or as function app settings, if you're not actually wanting encryption-at-rest in Azure (local files are accessible through the function's optional ExecutionContext parameter's FunctionDirectory member)

OR

c) if you still want to use Key Vault, register your function app in AAD, and have it call through to Key Vault on behalf of your console app.

The https function app can then act as your gatekeeper, with a simple function key embedded in your console app as the authorisation. You can keep the return type of the function to just the connection strings you need, and not open anything else up to your console app.

An ASP.NET Web API service would do just as well, but the pay-for-use nature of Functions may make it more cost-effective if it's not called frequently (YMMV).

This is all based on the assumption you don't want to authenticate your users. If you do, but they're external and you don't want to use AAD, you may want to look into Azure B2C to authorise access. I haven't tried that yet, but here's the link:

https://azure.microsoft.com/en-gb/services/active-directory-b2c/