Connection to Azure Vault using MSI

MicroMan picture MicroMan · Feb 28, 2018 · Viewed 7.4k times · Source

I am trying to connect to my azure vault from a console application with using MSI

For this vault i have added my user as the Selected Principle
the code i am using to connect is

var azureServiceTokenProvider = new AzureServiceTokenProvider();

var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

var secret = await keyVaultClient.GetSecretAsync("https://<vaultname>.vault.azure.net/secrets/<SecretName>").ConfigureAwait(false);

I get the following exception

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority

enter image description here

Answer

evilSnobu picture evilSnobu · Feb 28, 2018
  1. Enable Managed Service Identity in the Configuration blade under your virtual machine.

Enable MSI in the virtual machine configuration blade

  1. Search for NameOfYourVM service principal and add it to your Key Vault under Access Policies. Add key/secret/certificate permissions.

Add Service Principal to Key Vault

  1. On your Azure VM, run the console app.
class Program
{
    // Target C# 7.1+ in your .csproj for async Main
    static async Task Main()
    {
        var azureServiceTokenProvider = new AzureServiceTokenProvider();

        var keyVaultClient = new KeyVaultClient(
              new KeyVaultClient.AuthenticationCallback(
                    azureServiceTokenProvider.KeyVaultTokenCallback));

        var secret = await keyVaultClient.GetSecretAsync(
              "https://VAULT-NAME.vault.azure.net/secrets/SECRET-NAME");

        Console.WriteLine(secret.Value);
        Console.ReadLine();
    }
}

Console output

To run locally, create your very own Azure AD application registration (Web App/Web API type to make it a confidential client), add it to Key Vault and use its client_id and client_secret when acquiring the access token —
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application#gettoken

As Varun mentioned in the comments, there's now a better way to get an access token when running locally without exposing a service principal —

https://docs.microsoft.com/en-us/azure/key-vault/service-to-service-authentication#local-development-authentication