Azure KeyVault: how to create clientId and clientSecret?
Question
I want to connect my application to KeyVault. Usually, I could create a New Client Secret and use it in my code.
var _keyVaultClient = new KeyVaultClient(
async (string authority, string resource, string scope) =>
{
var authContext = new AuthenticationContext(authority);
var clientCred = new ClientCredential(clientId, clientSecret);
var result = await authContext.AcquireTokenAsync(resource, clientCred);
return result.AccessToken;
});
I could create a new client secret from the Azure Portal.
Now, I can't find this option in KeyVault.
In Program.cs I have something like
var keyVaultEndpoint = new Uri(Environment.GetEnvironmentVariable("VaultUri"));
configApp.AddAzureKeyVault(keyVaultEndpoint, new DefaultAzureCredential());
Locally is working but when I deploy the application to Azure I have this error:
Application '/LM/W3SVC/1699246683/ROOT' with physical root 'C:\home\site\wwwroot' has exited from Program.Main with exit code = '0'. First 30KB characters of captured stdout and stderr logs:
[10:15:57 FTL] Host terminated unexpectedly Azure.Identity.CredentialUnavailableException: DefaultAzureCredential failed to retrieve a token from the included credentials.
EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
SharedTokenCacheCredential authentication unavailable. No accounts were found in the cache.
at Azure.Identity.DefaultAzureCredential.GetTokenAsync(Boolean isAsync, TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext requestContext, CancellationToken cancellationToken) at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthenticateRequestAsync(HttpMessage message, Boolean async) at Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.ProcessCoreAsync(HttpMessage message, ReadOnlyMemory
1 pipeline, Boolean async) at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async) at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline) at Azure.Core.Pipeline.Htt pPipelineSynchronousPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline) at Azure.Core.Pipeline.HttpPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken) at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken) at Azure.Security.KeyVault.KeyVaultPipeline.GetPageAsync[T](Uri firstPageUri, String nextLink, Func1 itemFactory, String operationName, CancellationToken cancellationToken) at Azure.Core.PageResponseEnumerator.FuncAsyncPageable1.AsPages(String continuationToken, Nullable1 pageSizeHint)+MoveNext() at Azure.Core.PageResponseEnumerator.FuncAsyncPageable1.AsPages(String continuationToken, Nullable1 pageSizeHint)+System.Threading.Tasks.Sources.IValueTaskSource<System.Boolean>.GetResult() at Azure.AsyncPageable1.GetAsyncEnumerator(CancellationToken cancellationToken)+MoveNext() at Azure.AsyncPageable1.GetAsyncEnumerato r(CancellationToken cancellationToken)+MoveNext() at Azure.AsyncPageable1.GetAsyncEnumerator(CancellationToken cancellationToken)+System.Threading.Tasks.Sources.IValueTaskSource<System.Boolean>.GetResult() at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.LoadAsync() at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.LoadAsync() at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.Load() at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList1 providers) at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build() at Microsoft.Extensions.Hosting.HostBuilder.BuildAppConfiguration() at Microsoft.Extensions.Hosting.HostBuilder.Build() at Skoruba.IdentityServer4.STS.Identity.Program.Main(String[] args) in C:\Projects\IdentityServer4\src\Skoruba.IdentityServer4.STS.Identity\Program.cs:line 26Process Id: 13436. File Version: 13.1.20234.8. Description: IIS ASP.NET Core Module V2 Request Handler. Commit: c75b3f7a2fb9fe21fd96c93c070fdfa88a2fbe97
1 answers
solution1
6 2020-10-08 12:26:21
You are using DefaultAzureCredential which combines credentials commonly used to authenticate when deployed, with credentials used to authenticate in a development environment. The DefaultAzureCredential will attempt to authenticate via the following mechanisms in order.
The reason it works in your local is most probably it's able to authenticate using one from your local box (the orange ones above).
Now for deployed environment, you need to do either of the following:
- Setup Managed Service Identity and give access to Key vault. For example, in Azure App Service, enable that from Identity blade in portal and then assign access policy in the key vault (identity name will be same as the App Service name).
Or, 2. Set client credentials in Environment Variables (eg in App Settings in case of Web App).
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.