如何从 Azure Functions (v2) 使用 Azure Key Vault

Question

I am tring to use Azure Key Vault from Azure Functions (v2);
When I run local it works, but when I publish this code to Azure:

try
{
    var vault_url = "https://mykeyvault.vault.azure.net/";
    var azureServiceTokenProvider = new AzureServiceTokenProvider();
    var kvClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback), client);

    fbAppSecret = (await kvClient.GetSecretAsync(vault_url, "facebook-appid-secret-...")).Value;
}
catch (Exception ex)
{
    error = ex.ToString();
}

It is giving an Exception that contains this (Please check that you are running on an Azure resource that has MSI setup.):

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66ad737e-d8cc-4ab3-abf0-feab50685d13. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66ad737e-d8cc-4ab3-abf0-feab50685d13. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66ad737e-d8cc-4ab3-abf0-feab50685d13. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Visual Studio Token provider file not found at "D:\local\LocalAppData\.IdentityService\AzureServiceAuth\tokenprovider.json"
Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/66ad737e-d8cc-4ab3-abf0-feab50685d13. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command,
operable program or batch file.


   at Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider.<GetAccessTokenAsyncImpl>d__14.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.Azure.KeyVault.KeyVaultCredential.<PostAuthenticate>d__9.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.Azure.KeyVault.KeyVaultCredential.<ProcessHttpRequestAsync>d__10.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.Azure.KeyVault.KeyVaultClient.<GetSecretWithHttpMessagesAsync>d__65.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<GetSecretAsync>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at ApelosUrgentesFunctionApp.MyFunctions.<Run>d__1.MoveNext() in C:\Users\tonyv\source\repos\siteApelosUrgentes\ApelosUrgentesFunctionApp\MyFunctions.cs:line 50

Then I found MSI means Managed Service identity and can be enabled on the Azure Functions Portal:

But after enabled it, there is another Exception:

Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Access denied
   at Microsoft.Azure.KeyVault.KeyVaultClient.<GetSecretWithHttpMessagesAsync>d__65.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
   at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<GetSecretAsync>d__11.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
   at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
   at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
   at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
   at ApelosUrgentesFunctionApp.MyFunctions.<Run>d__1.MoveNext() in C:\Users\tonyv\source\repos\siteApelosUrgentes\ApelosUrgentesFunctionApp\MyFunctions.cs:line 50

I added the Azure Functions App as Reader, then later as Owner, but still getting

I added the Azure Functions App as Owner, but still getting

Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Access denied
at Microsoft.Azure.KeyVault.KeyVaultClient.<GetSecretWithHttpMessagesAsync>d__65.MoveNext()

I also added all the access policies, but still getting Access Denied

Checked Kudu, AppSettings:

https://myfunctionapp.scm.azurewebsites.net/api/settings

{"deployment_branch":"master","SCM_TRACE_LEVEL":"1","SCM_COMMAND_IDLE_TIMEOUT":"60","SCM_LOGSTREAM_TIMEOUT":"1800","SCM_BUILD_ARGS":"","aspnet:PortableCompilationOutput":"true","aspnet:PortableCompilationOutputSnapshotType":"Microsoft.Web.Compilation.Snapshots.SnapshotHelper, Microsoft.Web.Compilation.Snapshots, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35","aspnet:DisableFcnDaclRead":"true","SCM_GIT_USERNAME":"windowsazure","SCM_GIT_EMAIL":"windowsazure","webpages:Version":"3.0.0.0","webpages:Enabled":"true","webactivator:assembliesToScan":"Kudu.Services.Web","MSDEPLOY_RENAME_LOCKED_FILES":"1","FUNCTIONS_EXTENSION_VERSION":"beta","ScmType":"None","WEBSITE_AUTH_ENABLED":"False","REMOTEDEBUGGINGVERSION":"15.0.26730.8","WEBSITE_DISABLE_MSI":"false","AzureWebJobsDashboard":"DefaultEndpointsProtocol=https;AccountName=functionapp;AccountKey=xQ","WEBSITE_CONTENTAZUREFILECONNECTIONSTRING":"DefaultEndpointsProtocol=https;AccountName=functionapp;AccountKey=xq","WEBSITE_CONTENTSHARE":"apelosurgentesfunctionapp","WEBSITE_SLOT_NAME":"Production","AzureWebJobsStorage":"DefaultEndpointsProtocol=https;AccountName=functionapp;AccountKey=xq","WEBSITE_SITE_NAME":"FunctionApp"}

How to solve this?

Answer 1

One detail I found in your pictures is in Access Policies, you have "application + application" under your Service Principal.

Are you able to remove the service principal and add it back with only the app in the Service Principal, leaving Authorized App blank

As seen in this Article:

https://docs.microsoft.com/en-us/azure/key-vault/key-vault-secure-your-key-vault#authentication-using-azure-active-directory

When you use the authorized applications is for apps that must access on behalf of signed in users, thus An application working on behalf of itself does not works as expected.

Answer 2

Why does it works out of the box on localhost, but on published version I have to follow all those steps?

You could refer to Azure Services Authentication Extension to get more information about how it works on the localhost. It use the your login account and your account has the access to the Azure key vault resource.

If you publish it to Azure function, you could use the Azure MSI function, it will registry the Azure AD application automatically.Then we also need to assgin the permisson to access the KeyVault.

I also test it on my side,it works correctly. Please make sure that MSI is enabled correctly in your case. You could check the MSI_SECRET and MSI_ENDPOINT with Azure kudu tool.

Answer 3

Please use the AzureServiceTokenProvider's PrincipalUsed property to check what AppId is being used to authenticate, or in other words, what is the Managed Service Identity being used. The fact that you are getting "Access Denied" means that it was possible to get the access token, but the MSI does not have access to Key Vault. You did grant access to a service principal, but most likely, not to the right one. Use the AppId returned in PrincipalUsed to search for "Service Principal" using Key Vault "Access Policy".

Answer 4

This is the current easy way with Azure Functions https://docs.microsoft.com/en-gb/azure/app-service/app-service-key-vault-references

eg specific version @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/ec96f02080254f109c51a1f14cdb1931)

eg get latest version (note: trailing slash!) @Microsoft.KeyVault(SecretUri=https://myvault.vault.azure.net/secrets/mysecret/)