How do I access Azure Key Vault using user credentials?

Bonz0 picture Bonz0 · Apr 27, 2016 · Viewed 19.3k times · Source

I'm trying to write a simple application to access Azure KeyVault using my own, domain joined credentials. I don't know if it's the credentials part or how I'm accessing KeyVault, but I keep getting an "Invalid URI: The format of the URI could not be determined" exception. I am able to access KeyVault using Azure PowerShell cmdlets, but not using C#.

Here's the code I have:

class Program
{
    const string ClientId = "MY AAD CLIENT ID";

    static void Main(string[] args)
    {
        Console.WriteLine("Hello, KeyVault!");
        var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken));
        var secret = client.GetSecretAsync("vaultName", "secretName").Result; // Throws Invalid URI: The format of the URI could not be determined
        Console.WriteLine(secret.Value);
        Console.ReadLine();
    }

    private static async Task<string> GetAccessToken(string authority, string resource, string scope)
    {
        var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
        var authResult = await context.AcquireTokenAsync(resource, ClientId, new UserCredential());
        return authResult.AccessToken;
    }
}

What could be causing this? I've scoured the internet and haven't found any sample code showing how to access KeyVault this way.

Answer

Thomas picture Thomas · Mar 29, 2018

As @varun-puranik said, you need t specify the vaultBaseUrl rather than the vault name.

There is new nuget package that allow to connect to Azure Keyvault without specifying the Azure Active Directory Client Id.
This approach works when you're using a managed identity

You also need to install the Microsoft.Azure.KeyVault nuget package.

using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;

...

var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
     new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync(
    "https://{{my-vault-name}}.vault.azure.net/", "{{my-secret}}");