使用MSI部署容器实例和部署到其的容器无法读取密钥库机密

Question

I followed this guide from Microsoft: https://docs.microsoft.com/en-us/azure/container-instances/container-instances-managed-identity

All that works fine, but when I want to deploy with a ASP.NET Core 2.1 inside a container, where in my code I try to read the KeyVault secrets it does not work. It will work without deploying it inside a Docker container though.

But the goal is to deploy the project into a docker container, register it into Azure Container Registry and then create a Container Instance with containers that can read keyvault secrets.

The error I get is typically what I would get when trying to read secrets from Keyvaults inside a running .NET core Docker container:

AzureServiceTokenProviderException: Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net , Authority: https://login.windows.net/ . Exception Message: Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net , Authority: https://login.windows.net/ . Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net , Authority: https://login.windows.net/ . Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Environment variable LOCALAPPDATA not set. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net , Authority: https://login.windows.net/ . Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. /bin/bash: az: No such file or directory.

Any guide to get Docker containers read from Azure Keyvault secrets?

The source code for reading a keyvault secrets:

  public static async Task<string> GetSecret(string baseUrl, string keyName)
    {
        AzureServiceTokenProvider azureServiceTokenProvider = new AzureServiceTokenProvider();

        using (var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback)))
        {
            var secret = await keyVaultClient.GetSecretAsync(baseUrl, keyName).ConfigureAwait(false);
            return secret
        }
    }

Answer 1

First of all, you should know managed identities is just the feather of Azure Services. Also, even if for Azure Services, not all the service are supported for the feather. You can know which Azure service support the managed identities here .

And you can take a look that how does the MSI work for Azure Service here . So it seems that you cannot use the MSI for the Docker container which does not belong to Azure inside the Azure Container Instance. The error also shows that:

Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.

But I suggest you can try to use the Service Principal to read the key stored in KeyVault or access other Azure Service.

Answer 2

Seems that I was not aware using AppAuthentication NuGet 1.1.0-preview produced the error. Use 1.0.3 and everything works fine inside azure container instance with a container image running :)