I have an Azure resource group and a user managed identity which has access to my Azure KeyVault but I do not seem to understand how this should work locally. I want to access my dev environment keyvault when running my application locally and this is how I was able to make this work CurrentSolution. What I ended up doing was creating a service principal and using the credentials to access the key vault only when in local environment. If the environment is dev, stage, or production then it will use the DefaultAzureCredential (user-managed identity).
It definitely works but it does not seem like the correct way of doing this. Is there any advice or pointers I can get to be able to do this is a better way? Thank you.
string keyVaultEndpoint = "KeyVaultUri";
if (environment.EnvironmentName.ToLowerInvariant() == "localhost")
{
var client = new SecretClient(new(keyVaultEndpoint),
new ClientSecretCredential("tenantId",
"clientId",
"clientSecret"));
build.AddAzureKeyVault(client, new KeyVaultSecretManager());
}
else
{
//var secretClient = new SecretClient(new(keyVaultEndpoint), new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = "clientId" }));
var secretClient = new SecretClient(new(keyVaultEndpoint), new DefaultAzureCredential());
build.AddAzureKeyVault(secretClient, new KeyVaultSecretManager());
}
Configuration = build.Build();
2
Answers
In case you are only using secrets and keys, you can use Lowkey Vault too. It won’t help you with the if-else you have shared (in fact it can make it a bit worse) but you can avoid sharing credentials or relying on cloud resources while running tests or starting your app locally.
It may not be a better way, but if you are going to share the credentials of a service principal with your team, then you might as grant the team access – best way is to create a security group with your dev team as membership, and give the security group the minimum permissions needed for the key vault.