Docker container app service in azure. How to use DefaultAzureCredential for keyvault

Question

I have a container app service running in azure and it works fine.

However if i want to run this container locally it fails because it cant authenticate to read the key vault in azure.

.ConfigureAppConfiguration((context, config) =>
{
    var builtConfig = config.Build();

    string SecretUri = $"https://{builtConfig["KeyVaultName"]}.vault.azure.net/";
    var secretClient = new SecretClient(new Uri(SecretUri), new DefaultAzureCredential(new DefaultAzureCredentialOptions { ExcludeSharedTokenCacheCredential = true }));
    config.AddAzureKeyVault(secretClient, new KeyVaultSecretManager());
})

When running in azure the DefaultAzureCredential will inherit its permissions from the app service and that works fine.

However if i want to run the container locally for testing outside of azure it doesnt know what permissions to use. How should i handle this? Can i somehow tell the container what permissions to use without making dev changes to the container?

score 0 · Answer 1 · answered Mar 17 '21 at 13:45

0

I typically store the default Azure Key Vault development credentials in User Settings locally when I develop in Visual Studio. Then I put the same credentials as environment variables in Azure App Services. Then it will work in both places, if the credentials are named the same.

You access the local user secrets by right-click on the project in Visual Studio

See the documentation for more details.

answered Mar 17 '21 at 13:45

Tore Nestenius

16,431
5
30
40

2

But then you have credentials in environmental variables which is not secure, and then defeats the purpose of having a azure key vault. – CathalMF Mar 17 '21 at 13:51
But you have to trust Azure in this case. You have to get the identity/credentials into the container somehow.... but sure, if the container is hacked, they are exposed. That's why it can be useful to have different key vaults for different applications to limit the damage. Native Azure services can access AKV using Azure identities. but i am not sure about how you get that credential inside the container where you app is. – Tore Nestenius Mar 17 '21 at 15:08

score 0 · Answer 2 · answered Mar 18 '21 at 06:20

The DefaultAzureCredential will try several credential types in order as show here, so if don't set the environment variable and exclude the SharedTokenCacheCredential with ExcludeSharedTokenCacheCredential = true, it will use VisualStudioCredential to auth, i.e. the user account you logged in VS.

To make it work locally, you need to add your user account to the Access Policies of the keyvault with correct permissions, follow this doc. (Or if you select Azure role-based access control in Access policies blade of the keyvault, the RBAC role Key Vault Administrator is needed, follow this doc to add it.) After adding it , it will work fine.

Docker container app service in azure. How to use DefaultAzureCredential for keyvault

2 Answers2

Linked