Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Unable to get access to Key Vault using Azure MSI on App Service

Tags:

azure

azure-web-app-service

azure-webjobs

azure-keyvault

azure-managed-identity

I have enabled Managed Service Identities on an App Service. However, my WebJobs seem unable to access the keys.

They report:

Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: . Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.microsoftonline.com/common. Exception Message: Tried to get token using Active Directory Integrated Authentication. Access token could not be acquired. password_required_for_managed_user: Password is required for managed user Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,

Kudo does not show any MSI_ environmental variables.

How is this supposed to work? This is an existing App Service Plan.

like image 641
Jerome Haltom Avatar asked Sep 19 '17 18:09

Jerome Haltom

2 Answers

For the folks that will come across these answers, I would like to share my experience.

I got this problem with Azure Synapse pipeline run. Essentially I added access policies properly to the KeyVault, and also I added a LinkedService to the Azure Synapse pointing to my KeyVault.

If I trigger the notebook manually it works, but in the pipeline, it fails.

Initially, I used the following statement:

url = TokenLibrary.getSecret("mykeyvault", "ConnectionString")

Then I added the name of the linked service as a third parameter, and the pipeline was able to leverage that linked service to obtain the MSI token for a Vault.

url = TokenLibrary.getSecret("mykeyvault", "ConnectionString", "AzureKeyVaultLinkedServiceName")
like image 133
kgalic Avatar answered Sep 20 '22 11:09

kgalic

Enable the identity and give access to your azure function app in keyvault via access policy. You can find identity in platform feature tab These two steps works for me

like image 21
Santosh Kumar Avatar answered Sep 19 '22 11:09

Santosh Kumar
Sign in to Comment

Related questions

Azure ARM Template - accessing a resource Id created by one ARM template in another ARM template
How to use both Azure AD authentication and Identity on ASP.NET Core 3?
Disadvantage of making class to Serializable
Azure Storage - Use Blob from Private Container in <img> tag
Azure blob storage limitation and filter
Custom login page for Azure Active Directory
Azure Storage Calculated MD5 does not match existing property
manage.windowsazure.com vs. portal.azure.com
How to use .NET framework 4.6 with Azure Websites?
Azure Publish or Package fails without errors
Is Application Insight's TelemetryClient Thread Safe?
Using GraphServiceClient to get refresh tokens when authenticating using UserPasswordCredential in AuthenticationContext
azure blob returns 403 forbidden with correct access key
How to find Azure Function App IP for white-listing
Does the CloudConfigurationManager GetSetting method cache?
fabric keeps asking for password using SSH connection
node.js app with node-gyp fails to deploy on azure website
The fastest backup/restore strategy for Azure SQL databases?
Redis vs Service Bus for pub/sub scenario
How to deploy a solution with two projects to Azure App Service?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!