Connection to Azure Vault using MSI

Question

I am trying to connect to my azure vault from a console application with using MSI

For this vault i have added my user as the Selected Principle
the code i am using to connect is

var azureServiceTokenProvider = new AzureServiceTokenProvider();

var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

var secret = await keyVaultClient.GetSecretAsync("https://<vaultname>.vault.azure.net/secrets/<SecretName>").ConfigureAwait(false);

I get the following exception

Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority

Answer 1

1. Enable Managed Service Identity in the Configuration blade under your virtual machine.

2. Search for NameOfYourVM service principal and add it to your Key Vault under Access Policies. Add key/secret/certificate permissions.

3. On your Azure VM, run the console app.

class Program
{
    // Target C# 7.1+ in your .csproj for async Main
    static async Task Main()
    {
        var azureServiceTokenProvider = new AzureServiceTokenProvider();

        var keyVaultClient = new KeyVaultClient(
              new KeyVaultClient.AuthenticationCallback(
                    azureServiceTokenProvider.KeyVaultTokenCallback));

        var secret = await keyVaultClient.GetSecretAsync(
              "https://VAULT-NAME.vault.azure.net/secrets/SECRET-NAME");

        Console.WriteLine(secret.Value);
        Console.ReadLine();
    }
}

To run locally, create your very own Azure AD application registration (Web App/Web API type to make it a confidential client), add it to Key Vault and use its client_id and client_secret when acquiring the access token —
https://learn.microsoft.com/en-us/azure/key-vault/key-vault-use-from-web-application#gettoken

As Varun mentioned in the comments, there's now a better way to get an access token when running locally without exposing a service principal —

https://learn.microsoft.com/en-us/azure/key-vault/service-to-service-authentication#local-development-authentication

Answer 2

To run locally.

1. install Azure Cli
2. Open Windows Powershell
3. write az login command (it will give an url and code )
4. Open Url and enter the code which is given with az login

then get the secret value like this

 var secret =  await keyVaultClient.GetSecretAsync("https://VAULT-NAME.vault.azure.net/secrets/SECRET-NAME");
     secret.Value; //your secret.

Answer 3

a correct answer is already given above, here's an additional one :-)

Azure MSI applying with App Service & Vault

1. Enable System Assigned Managed Identity for your App Service, check Identity section under settings.

2. Add Policy under Vault

3. configure your code behind