AzureAppConfiguration does not work with Azure.Identity.TokenCredentials

Question

I try to add AzureAppConfiguration to my dotnet core web application using the following Code:

var azureCredential = new DefaultAzureCredential();
config.AddAzureAppConfiguration(options =>
  options.Connect(new Uri("https://MYCONFIGURATION.azconfig.io"), azureCredential).ConfigureKeyVault(kv =>
    {
      kv.SetCredential(azureCredential);
    })
    ....

this fails with the Following Error:

Azure.RequestFailedException: Service request failed. Status: 403 (Forbidden)

If I do use the Connection String to connect to the AzureAppConfiguration itself it does work:

var azureCredential = new DefaultAzureCredential();
config.AddAzureAppConfiguration(options =>
  options.Connect("Endpoint=https://ac-mobileapps-dev.azconfig.io;Id=MYID;Secret=MYSECRET").ConfigureKeyVault(kv =>
    {
      kv.SetCredential(azureCredential);
    })
    ....

I run this on my local machine, so the default credentials return my AzureCLI Creds. With those same creds I can run

 az appconfig kv list -n MYCONFIGURATION

and retrieve all values.

Answer 1

Please make sure you grant your identity App Configuration Data Reader or App Configuration Data Owner role in the Access Control of your App Configuration instance and wait for ~15 minutes for the permission to propagate.

More details can be found at https://learn.microsoft.com/en-us/azure/azure-app-configuration/concept-enable-rbac

BTW, the CLI command you used doesn't use AAD auth. Use the --auth-mode parameter to specify how you want to authenticate.

az appconfig kv list -n MYCONFIGURATION --auth-mode login