Question 108176 in Azure Question posted in
The official documentation to get you started can be found here.

Is there a way to work with Azure Key Vault in localhost with Managed Identity on Visual Studio?

I want to add Azure Key Vault to my C# app but I’d like to run the code locally. Is there a possible way?
A lot of documentation says that AKV only works on Azure env but here a Microsoft developer says in the video that the sample code they are showing in the demo can be executed in localhost too.

Currently using the Net6 version.
To create my Azure resources I followed the video tutorial from the first link. They follow this schema.
Flow described to use when using Managed Identities

So here you can see my Key Vault access policies. RBAC is checked.
My kv access policies

The Managed Identity has a role assigned to the Key Vault as Key Vault Administrator (for testing purpose)

My Managed Identity is assigned as User Assigned Managed Identity in my App Service on Identity tab.

My Program.cs looks like this:

var userAssignedClientId = "Some guid";

if (!string.IsNullOrEmpty(MyVaultUri))
{
    builder.Configuration.AddAzureKeyVault(
        new Uri(MyVaultUri),
        new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = userAssignedClientId }));
}

I have declared the env variables AZURE_TENANT_ID, AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and the nugget packages Azure.Identity v1.4.0, Azure.Security.KeyVault.Secrets v4.3.0 installed.

And this is what I’m getting as error in localhost: Azure.RequestFailedException: ‘Caller is not authorized to perform action on resource.

enter image description here

Tags:

2

Answers


  1. 0

    When wanting to connect to online resources there are a few options available that Microsoft supplies. One of them is the InteractiveBrowserCredential which prompts you with the question of entering your credentials.

    The other is the DefaultAzureCredential which on first looks is quite deceiving because what is the default? According to the documentation it tries six different types of authorization before returning an error when authorizing fails. Note that if one of the types is disabled, it won’t be used.

    If you are logged in with the same credentials from the portal.azure.com in Visual Studio then the authentication will happen seamlessly.

    Also note that when you want to use environment variables on your localhost. Instead defining those on the machine, it’s a best practice to use a settings file which holds the variables. Don’t forget to add that settings file to the gitignore file. You don’t want those secrets to be published to a public repo.

    Login or Signup to reply.
  2. 0

    As long as you are only using keys and secrets, and it is fine that the keys are not the same as in the environment you tried to connect to, you could possibly get away with using a test double, such as Lowkey Vault.

    You can find the project here: https://github.com/nagyesta/lowkey-vault

    Also, there is a .Net POC here: https://github.com/nagyesta/lowkey-vault-example-dotnet

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search