How do I access Azure Key Vault using user credentials?
I'm trying to write a simple application to access Azure KeyVault using my own, domain joined credentials. I don't know if it's the credentials part or how I'm accessing KeyVault, but I keep getting an "Invalid URI: The format of the URI could not be determined" exception. I am able to access KeyVault using Azure PowerShell cmdlets, but not using C#.
Here's the code I have:
class Program
{
const string ClientId = "MY AAD CLIENT ID";
static void Main(string[] args)
{
Console.WriteLine("Hello, KeyVault!");
var client = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(GetAccessToken));
var secret = client.GetSecretAsync("vaultName", "secretName").Result; // Throws Invalid URI: The format of the URI could not be determined
Console.WriteLine(secret.Value);
Console.ReadLine();
}
private static async Task<string> GetAccessToken(string authority, string resource, string scope)
{
var context = new AuthenticationContext(authority, TokenCache.DefaultShared);
var authResult = await context.AcquireTokenAsync(resource, ClientId, new UserCredential());
return authResult.AccessToken;
}
}
What could be causing this? I've scoured the internet and haven't found any sample code showing how to access KeyVault this way.
Answer
As @varun-puranik said, you need t specify the vaultBaseUrl rather than the vault name.
There is new nuget package that allow to connect to Azure Keyvault without specifying the Azure Active Directory Client Id.
This approach works when you're using a managed identity
You also need to install the Microsoft.Azure.KeyVault nuget package.
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
...
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync(
"https://{{my-vault-name}}.vault.azure.net/", "{{my-secret}}");