How to retrieve the secrets with Service principal with certificate

Question

Goal: My web application in on Premise and wants to retrieve secrets from Keyvault using ServicePrincipal

Please note I can not DefaultAzureCredential as my application are not on cloud and in Azure.Idenetity it is suggested to use ClientCertificateCredential for on prem

I am trying to use Service principal with certificate for the App registered to connect to key vault and read certificate and Secrets in it. I think i found how to get certificate which i explain but not sure how to get secert from vertificate to build ClientCertificateCredential from it here are the steps 1- Created a local machine self registered certificate --> exported the pfx 2- Registered an app on Azure and uploaded the pfx in there ( Created Service Principal with certificate) 3- created an azure keyvault and gave my app Secret officer role and certificate officer 4- create secret named testSecert with value of 1234 in the Keyvault 5- create a certificate named "kvtestcert" 6- created the ClientCertificateCredential using the certificate (see below code)

a. Below code is to Access local machine store to get the certificate I created var x509Store = new X509Store(StoreLocation.CurrentUser);

x509Store.Open(OpenFlags.ReadOnly); X509Certificate2 x509Certificate = x509Store.Certificates.Find( X509FindType.FindByThumbprint, azureADCertThumbprint, validOnly: false).OfType().Single();

b.Below code to Get the Certificate from keyvault in below var keyVaultUri = $"https://{keyVaultName}.vault.azure.net/";

var certCredential = new ClientCertificateCredential(tenantId, appId, x509Certificate2);

var certificateClient = new CertificateClient(new Uri(keyVaultUri), credential); KeyVaultCertificateWithPolicy keyVaultCertificateWithPolicy = certificateClient.Certificate(certificateName);

So far I could get the certificate inside the keyvault with myService principal. Now i would like to use that Service principal to retrieve the Secret as well but not sure how?

c.my problem is in below code and not sure what to pass for SecretClient To retrieve the secrets I need create a ClientSecertCredential and for that I need to pass SecretClient. please Note : I do not want to create any secrets for my app as it is not recommended for production. I want to use certificate way

How and where to get the SecretClient to be able to use it to create ClientSecertCredential in below code var srcrtCredential = new ClientSecertCredential(tenantId, appId, SecertClient??? );
var secretClient= new SecretClient(new Uri(keyVaultUri), srcrtCredential);

var secret = secretClient.GetSecret(secretName);

Any advice would be very much appreciated?

Answer 1

To get a secret I use the following code:

var credentials = new ClientSecretCredential(tenantId: _tenantId, clientId: _clientId, clientSecret: _secret);
var client = new SecretClient(new Uri(_vaultUrl), credentials);

KeyVaultSecret kvSecret = client.GetSecret(_keyRingName);

The tenantId, ClientId and Secret I get from the app registration in AzureAD. Meaning from this JSON that I am presented with after registration:

{
  "clientId": "603761e0xxxxxxxxxxxxxxxxxxxxxxxxxx",
  "clientSecret": "rTU8Q~Lgxxxxxxxxxxxxxxxxxxxxxxxxxxxx",
  "subscriptionId": "b78d216b-dxxxxxxxxxxxxxxxxxxx",
  "tenantId": "567d82a1-xxxxxxxxxxxxxxxxxxxxxxxxx",
  "activeDirectoryEndpointUrl": "https://login.microsoftonline.com",
  "resourceManagerEndpointUrl": "https://management.azure.com/",
  "activeDirectoryGraphResourceId": "https://graph.windows.net/",
  "sqlManagementEndpointUrl": "https://management.core.windows.net:8443/",
  "galleryEndpointUrl": "https://gallery.azure.com/",
  "managementEndpointUrl": "https://management.core.windows.net/"
}

Does that notwork?