I am pretty new to Azure Ad and expecting your help with this. I have a .Net core web API and I have created two secrets in Azure key vault. I am able to access these secrets through API in local environment like this (with visual studio Azure service authentication).
{
private keyVaultURL = new Uri(configuration.GetValue<string>("KeyVault:URL"));
private DefaultAzureCredential clientCredential = new DefaultAzureCredential();
var secretClient = new SecretClient(keyVaultURL, clientCredential);
var secret1 = secretClient.GetSecret("secret-1");
var secret2 = secretClient.GetSecret("secret-2");
}
Now I have hosted .Net core web API on Azure Virtual Machine (Production Environment-Ubuntu) and I want to access the secrets same as before (using Key Vault). But the above method does not working and API service is failed and throws exceptions. Think its because server does not know how to authenticate with Azure.
- Azure.Identity.CredentialUnavailableException: Stored credentials not found. Need to authenticate user in VSCode Azure Account.
- Azure.Identity.CredentialUnavailableException: Azure CLI not installed
- Azure.Identity.CredentialUnavailableException: PowerShell is not installed.
So, Please suggest me the correct way with cleaner steps (since I don’t have deep understanding of Azure) to achieve this task in production environment. Please note that I can not keep and use TenantId, ClientId and ClientSecrets in appsettings file.
Thank you.
2
Answers
You should use a managed identity assigned to the VM to access the key vault.
There are many tutorials that will take you step-by-step.
One example: https://learn.microsoft.com/en-us/azure/key-vault/general/tutorial-net-create-vault-azure-web-app
We can use DefaultAzureCredential to pass the authentication and access the Azure key vault secrets, but
DefaultAzureCredentialattempts to authenticate via multiple mechanisms. And this is the reason why your code worked well in VS but not work after publishing to VM.You can check the access policy you set in Azure Key vault, for example, you allowed your user account to access this key vault, and you use this account sign in Visual Studio, then the app you run via this Visual studio on behalf you to access key vault secret. After you publish to Azure VM, I think you can try to use
Environmentauthentication by setting environment variable in your server. If you choose this way, you need to create an Azure AD application,just create an application, and create a client secret. Then add this application in the key vault access policy. Then in your VM, set environment variablesAZURE_CLIENT_ID AZURE_TENANT_ID AZURE_CLIENT_SECRET, value can get in Azure AD(client id and tenant id can get in Overview blade).You can also use managed identity like Hank said, so we need to enable managed identity for the Azure VM, then add access policy in Azure key vault for this Azure VM resource. In this scenario, you don’t need to create an Azure AD app, you can just add this Azure VM to the access policy list after enabling managed identity.
If you don’t want to allow the VM to access key vault secret, then you can use the other mechanisms mentioned in DefaultAzureCredential document to authenticate for your key vault.