9

Is it possible to access Azure App Configuration via a Managed Identity locally (or in a pipeline) without deploying any other services to Azure?

I have a .net core unit test project that runs some integration tests against a live site. In order to keep various settings, secrets etc out of the source code I figured I might be able to use Azure App Configuration.

I was reading this guide but it seemed to be aimed at an App Service accessing an App Configuration https://learn.microsoft.com/en-us/azure/azure-app-configuration/howto-integrate-azure-managed-service-identity?tabs=core2x

I've enabled the system assigned managed identity

[enter image description here]1]

And am attempting to use the following code:

var builder = new ConfigurationBuilder();
builder.AddAzureAppConfiguration(options =>
{
    options.Connect(new Uri("https://sauitest-config.azconfig.io"), new DefaultAzureCredential())
        .Select(KeyFilter.Any, "TestLocal");
});

Unfortunately this returns a 403 (Forbidden). Note I am logged into Visual Studio as an admin with the same credentials that I use to access the portal. Apparently DefaultAzureCredential should work in both local and azure environments.

Am I missing something here?

Konzy262
  • 2,747
  • 6
  • 42
  • 71
  • Does it work if you take off the `.Select(KeyFilter.Any, "TestLocal")`? What you're doing should be correct - `DefaultAzureCredential` tries to use a variety of methods, including Managed Identity, first, falling back to a browser authentication that you could use for local development. – WaitingForGuacamole Mar 11 '21 at 22:11
  • Didn't make any difference unfortunately. The user I'm logged into Visual Studio as is part of a group that has 'Contributor' access to the App Configuration resource (Inherited from the resource group). Do you think that is sufficient? – Konzy262 Mar 12 '21 at 00:21
  • To use VS logged user to auth, try `VisualStudioCredential()` instead of `DefaultAzureCredential()` directly in your code. Besdies, it is not possible to use MSI(managed identity) to access App Configuration locally. – Joy Wang Mar 12 '21 at 01:24

1 Answers1

5

Turns out the issue was I didn't have either of the App Configuration Data Owner or App Configuration Data Reader roles against the group I am apart of that is used to access the resource. The group only had contributor.

Once I added this via Add Role Assignment it started working.

Konzy262
  • 2,747
  • 6
  • 42
  • 71
  • That's correct. More details can be found in this document https://learn.microsoft.com/azure/azure-app-configuration/concept-enable-rbac. – Zhenlan Wang Mar 12 '21 at 23:26