1

I have this azure key vault in which I have stored an api key. I have via Visual studio added the azure key vault as an connected service to the project.

I try to get my keyvalue stored in akv via this code

    HttpClient client = new HttpClient();
    string keyVaultName = !string.IsNullOrEmpty(Environment.GetEnvironmentVariable("web-kv")) ? Environment.GetEnvironmentVariable("web-kv") : throw new ArgumentNullException("web-kv");
    string kvUri = "https://" + keyVaultName + ".vault.azure.net";
    bool success = Uri.TryCreate(kvUri, UriKind.Absolute, out Uri uri);
    if(!success)
    {
        throw new Exception(kvUri);
    }
        var akvClient = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
        var apiKey = akvClient.GetSecret("LicenseApiKey");

Which returns this exception

Azure.Identity.AuthenticationFailedException: The DefaultAzureCredential failed to retrieve a token from the included credentials.
  EnvironmentCredential is unavailable Environment variables not fully configured. AZURE_TENANT_ID and AZURE_CLIENT_ID must be set, along with either AZURE_CLIENT_SECRET or AZURE_USERNAME and AZURE_PASSWORD. Currently set variables [  ].
  ManagedIdentityCredential is unavailable No managed identity endpoint found..
  SharedTokenCacheCredential is unavailable No accounts were discovered in the shared token cache. To fix, authenticate through tooling supporting azure developer sign on..

the application is not registerd as an APP in azure, and for some reason it does not detect that the environment variable is set?

I am not Fat
  • 283
  • 11
  • 36
  • I ended up using a similar approach as mentioned here https://stackoverflow.com/questions/71095915/how-to-access-an-azure-keyvault-from-an-non-registeres-app-net-framework-webap – I am not Fat Feb 18 '22 at 08:44
  • Where are you hosting your application? If in Azure (ex as an app service) you most likely want to use the ManagedIdentity, as that is the most secure/least maintenance option. – Rudi Feb 18 '22 at 10:54
  • The application is not hosted in azure its on premise. It has been registered as an app in azure – I am not Fat Feb 18 '22 at 13:38

2 Answers2

0

I ended up using an approach where I let the Azure pipeline insert the secrets into my appSetting when I am deploying, hence the code will not be interfacing with the keyvault.

I am not Fat
  • 283
  • 11
  • 36
-1

On development environment you need to use SecretManager as described here.

Here you can find a deep dive with a working sample.

Claudio
  • 3,060
  • 10
  • 17
  • but I also need a way make use of this on a production environment, storing secrets might work for development only. – I am not Fat Feb 12 '22 at 15:29
  • Just follow the second link, the working sample is a step by step tutorial to achive this with both remote (default) and local (optional) configurations. – Claudio Feb 14 '22 at 10:09