Azure Question posted in
The official documentation to get you started can be found here.

Access to Azure Keyvault inside Azure Container Instance WebApi

I would like to retrive the keyvault secrets using managed identity in web Api.

  1. Creates Web APi with DefaultAzureCredential
  2. enter image description here
  1. Able to retrive the data using aboe code.
  2. Built image and pushed into Azure container registry
  3. Created azure container instace using above image
  4. Provided Key Vault Reader and Key Vault Secrets User by slected the instance using managed identity
  5. When I try to access the API that reads the data from AzureKeyVault, it is giving 404 erro.

ManagedIdentityCredential authentication failed: DefaultIdentityNotDefined rnStatus: 404 (Not Found)rnErrorCode: DefaultIdentityNotDefinedrnrnContent:rn{rn "error": {rn "code": "DefaultIdentityNotDefined

How can I access the keyvault data inside container instace web api?

Tags:

2

Answers


  1. 0

    It seems you’re using Azure Container Apps and you have 2 options in there:

    1. Use of System Managed Identity (recommended)
    2. Use of User Managed Identity

    For any of them, the configuration must be enabled and done like this:
    enter image description here

    And the process to do so it’s defined in the oficial documentation in here

    Also, in order to have access to the KeyVault Secrets, you must add an Access Policy to that Managed Identity with at least Get and List secrets. It might be worth to take a look at the section to add the KV Secret references to your Container App in here

    As per the error, it seems you haven’t enable the Managed Identity yet; therefore, there would be no Identity defined to connect to the KV.

    UPDATE

    Since what you’re using is Azure Container Instance, then you should follow the official guide for enabling the Managed Identity

    Login or Signup to reply.
  2. 0

    If you look into the docs of DefaultAzureCredential, it combines several credential types:

    • EnvironmentCredential
    • ManagedIdentityCredential

    If your instance can’t connect to the Azure key vault, it may not have the correct permissions for managed identity.

    1. You need to enable managed identity on your App Service.
      https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#add-a-system-assigned-identity

    2. You need to assign permissions to access key vault for this managed identity:
      https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/tutorial-windows-vm-access-nonaad

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search