12

I am trying to connect from a net framework app to Azure App Configuration using a Managed Identity but have permission issues.

How I connect

options.Connect(new Uri("https://myconfigstore.azconfig.io"), new ManagedIdentityCredential(clientId));

I have tried all the various clientId, objectids and applicationId guids I can find using the portal but are always getting a bad request no matter when guid I call it with

Azure.Identity.CredentialUnavailableException: 'ManagedIdentityCredential authentication unavailable, 
the requested identity has not been assigned to this resource.
Status: 400 (Bad Request)

If I create ManagedIdentityCredential without specifying an clientId I get this error 

Azure.RequestFailedException: 'Service request failed.
Status: 403 (Forbidden)

I have granted my manage identity Azure App Configuration Data permission

enter image description here

Is this the clientId I should be using?

enter image description here

Update:

I have just tried to use the Id of my active directory (AAD --> Properties) and i get a 

Azure.RequestFailedException: 'Service request failed.
Status: 403 (Forbidden)

That can only mean that I am using the wrong id because otherwise it should have returned 400 (Bad Request) like in the other error I see.

Full code

private static async Task Main()
    {
        var builder = new ConfigurationBuilder();

        const string clientId = "e589d9f1-xxxx-xxxx-xxxx-6bc940d50ab7";

        builder.AddAzureAppConfiguration(options =>
        {
            options.Connect(new Uri("https://myconfigstore.azconfig.io"), new ManagedIdentityCredential(clientId));
        });

        _configuration = builder.Build();

        Console.WriteLine("Number of keys: " + _configuration.GetChildren().Count());

        Console.WriteLine("Demo: " + _configuration["Demo"]);
    }
Tony
  • 1,394
  • 5
  • 22
  • 48

1 Answers1

17

This document demonstrates how to use managed identity to access App Configuration from App Service, but you can replace the App Service with any other Azure services that support managed identity. https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity

Here are a few things I'd like to call out

  • Make sure the managed identity is enabled in the Azure service where your application runs.
  • When you are using system assigned managed identity, you don't need to provide the client Id. You only need to provide the client Id when you use user assigned managed identity.
  • Make sure the managed identity is granted either App Configuration Data Reader or App Configuration Data Owner role in the access control of your App Configuration instance.
  • Wait for at least 15 minutes after the role assignment for the permission to propagate.
  • Managed identity can ONLY work when your code is running in the Azure service. It will NOT work when running locally.
Zhenlan Wang
  • 1,213
  • 8
  • 10
  • 2
    > Managed identity can ONLY work when your code is running in the Azure service. It will NOT work when running locally. OK. This must be the reason. I have now created seperate app.Debug.config and app.Release.config files. The release config is configured to use Azure App Configuration using a managed account and the debug uses appsettings from the config file. ```` – Tony May 12 '20 at 08:54
  • **Managed identity can ONLY work when your code is running in the Azure service. It will NOT work when running locally.** What's this mean? I have a WPF application running on my desktop. How can I access an Azure Storage Account? Thanks. – Sabuncu Apr 03 '21 at 18:07
  • 2
    @sabuncu, your WPF app can still use one of AAD identities (either a service principal or a user MSA identity) to access your Azure Storage Account or Azure App Configuration. It's just that identity cannot be a *managed identity* because managed identity is only available in Azure services, while your WPF app is running on your desktop. – Zhenlan Wang Apr 28 '21 at 19:50
  • @ZhenlanWang Thank you for the information, I appreciate it. – Sabuncu Apr 29 '21 at 04:56
  • 2
    You can switch easily between credential types during development and production using DefaultAzureCredential. It just picks automatically what is available (managed identity, logged in user in VS, environemnt variables and so on) https://www.c-sharpcorner.com/article/defaultazureidentity-and-its-various-credential-types3/ – Miroslav Adamec Oct 28 '21 at 15:58
  • Waiting 15 minutes is the key for me - a few times I forgot that and had 15 minutes of "debugging" then it suddenly started working... I also wonder if a group is used, and a new MSI is added to that group, what it takes for the cached token to expire and a ne one sought in order to have the added group claim to be appended to the token. This may be off but sometimes I am seeing >15 minutes until this is resolved and wondered about the group/token refresh thing. – MarkD Jun 23 '22 at 18:43