Home > Mobile >  How to ask DefaultAzureCredential to use my user credential locally
How to ask DefaultAzureCredential to use my user credential locally

Time:09-09

I'm trying to develop a web app on an Azure VM that uses Azure Key Vault. Later this app will also be deployed to Azure. As far as I know, the most straight forward way to make the app work, both locally and deployed, with the key vault, is to use the DefaultAzureCredential class. The code would be like this:

string kvUri = "https://"   keyvaultName   ".vault.azure.net";
SecretClient client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
KeyVaultSecret secret = await client.GetSecretAsync(secretName);

At runtime, the provider will try different credential types in order.

This sounds exactly what I want:

  • When developing locally (on the Azure VM, though), I want to use my user credential (user identity added to the key vault's permission) without any configuration, since I have already logged into the Visual Studio using the same user credential.
  • Once deployed to Azure, I want to use the app registration credential (also added to the key vault's permission).

But when running the app locally, I'm getting a 403 error The user, group or application .... does not have secrets get permission on key vault ...

After looking up the object id in the error message, I realize it's the dev machine Azure VM's credential that the application uses, not my user credential.

Is there a way to change this behavior?

CodePudding user response:

To prevent the Azure VM from getting a token, you can exclude the ManagedIdentityCredential in your Development environment and only enable it in a Non-Development environment.

        if (environment.IsDevelopment())
        {
            var credentials = new DefaultAzureCredential(new DefaultAzureCredentialOptions
            {
                ExcludeManagedIdentityCredential = true,
                ExcludeAzureCliCredential = true
            });
        }
        else
        {
            var credentials = new DefaultAzureCredential(new DefaultAzureCredentialOptions
            {
                ExcludeVisualStudioCodeCredential = true,
                ExcludeVisualStudioCredential = true
            });
        }

Once deployed to Azure, I want to use the app registration credential (also added to the key vault's permission).

An Azure App Service can use a managed identity as well. There is no need for a separate App Registration.

See https://docs.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme#key-concepts for more information.

CodePudding user response:

Create and identity if you wish to use (default identity) appservice -> select you application -> identity->enable it ->should give you a Id and than add it to key Vault Access policy alternatively app registration can be used with tenantId,clientId,secret to connect to keyvault

  • Related