How to ask DefaultAzureCredential to use my user credential locally

DaPanda
September 9, 2022
212 views
0 votes
2 Answers

I’m trying to develop a web app on an Azure VM that uses Azure Key Vault. Later this app will also be deployed to Azure. As far as I know, the most straight forward way to make the app work, both locally and deployed, with the key vault, is to use the DefaultAzureCredential class. The code would be like this:

string kvUri = "https://" + keyvaultName + ".vault.azure.net";
SecretClient client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
KeyVaultSecret secret = await client.GetSecretAsync(secretName);

At runtime, the provider will try different credential types in order.

This sounds exactly what I want:

When developing locally (on the Azure VM, though), I want to use my user credential (user identity added to the key vault’s permission) without any configuration, since I have already logged into the Visual Studio using the same user credential.
Once deployed to Azure, I want to use the app registration credential (also added to the key vault’s permission).

But when running the app locally, I’m getting a 403 error The user, group or application .... does not have secrets get permission on key vault ...

After looking up the object id in the error message, I realize it’s the dev machine Azure VM’s credential that the application uses, not my user credential.

Is there a way to change this behavior?

Tags: azure

Answers

- monika
- September 9, 2022 at 7:41 am
- 0 votes
0
Create and identity if you wish to use (default identity)
appservice -> select you application -> identity->enable it ->should give you a Id
and than add it to key Vault Access policy
alternatively app registration can be used with tenantId,clientId,secret to connect to keyvault

Login or Signup to reply.

- Alex
- September 9, 2022 at 7:41 am
- 0 votes
0
To prevent the Azure VM from getting a token, you can exclude the ManagedIdentityCredential in your Development environment and only enable it in a Non-Development environment.
```
        if (environment.IsDevelopment())
        {
            var credentials = new DefaultAzureCredential(new DefaultAzureCredentialOptions
            {
                ExcludeManagedIdentityCredential = true,
                ExcludeAzureCliCredential = true
            });
        }
        else
        {
            var credentials = new DefaultAzureCredential(new DefaultAzureCredentialOptions
            {
                ExcludeVisualStudioCodeCredential = true,
                ExcludeVisualStudioCredential = true
            });
        }
```
Once deployed to Azure, I want to use the app registration credential (also added to the key vault’s permission).

An Azure App Service can use a managed identity as well. There is no need for a separate App Registration.

See https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme#key-concepts for more information.
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.