Access denied to first party service, Keyvault authentication in visual studio debug

Question

I develop ASP.NET Core 3.1 API and i use in .net standard 2.0

My code located in .net standard project.

nuget version
Azure.Identity : 1.3.0
Azure.Security.KeyVault.Secrets : 4.10

and use DefaultAzureCredential,

but i try to debug, Occured below error.

SharedTokenCacheCredential authentication failed: A configuration issue is preventing authentication - check the error message from the server for details.You can modify the configuration in the application registration portal. See https://aka.ms/msal-net-invalid-client for details. Original exception: AADSTS70002: The client does not exist or is not enabled for consumers. If you are the application developer, configure a new application through the App Registrations in the Azure Portal at https://go.microsoft.com/fwlink/?linkid=2083908.
Trace ID: [guid]
Correlation ID: [guid]
Timestamp: 2020-12-29 02:06:23Z

so, i retry to with

new DefaultAzureCredentialOptions { ExcludeSharedTokenCacheCredential = true }

this option, but other error occured.

Service request failed.
Status: 403 (Forbidden)

Content:
{"error":{"code":"Forbidden","message":"Access denied to first party service.\r\nCaller: name=from-infra;tid=f8cdef31-a31e-4b4a-93e4-5f571e91255a;appid=[guid];iss=https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/\r\nVault: [KeyVaultName];location=koreasouth","innererror":{"code":"AccessDenied"}}}

Headers:
Cache-Control: no-cache
Pragma: no-cache
x-ms-keyvault-region: koreasouth
x-ms-request-id: REDACTED
x-ms-keyvault-service-version: 1.2.99.0
x-ms-keyvault-network-info: conn_type=Ipv4;addr=211.219.111.149;act_addr_fam=InterNetwork;
X-Powered-By: REDACTED
Strict-Transport-Security: REDACTED
X-Content-Type-Options: REDACTED
Date: Tue, 29 Dec 2020 05:17:58 GMT
Content-Length: 343
Content-Type: application/json; charset=utf-8
Expires: -1

I'm already add my WebApp Application to Access Policy in Keyvault .

What should I do?

Answer 1

When you are running the application locally from Visual Studio, to access an Azure Key Vault (AKV) a couple of things needs to be setup. Can you please check the following,

• Make sure, you have the latest Azure CLI installed
• Correct account is set from Visual Studio: Tools -> Options -> Azure Service Authentication
• In AKV, an access policy is defined for this selected account

P.S: You can use new DefaultAzureCredential(), when you use that, it will try different credential types in below order.

1. EnvironmentCredential
2. ManagedIdentityCredential
3. SharedTokenCacheCredential
4. VisualStudioCredential
5. VisualStudioCodeCredential
6. AzureCliCredential
7. InteractiveBrowserCredential

Answer 2

I had this same error message when trying to deploy a Cloud Service (Extended Support) which tied the web role to a key vault. I was able to solve the issue by upgrading Visual Studio from 16.9.2 to 16.9.6. This may relate to more key vault access issues than the one I was having and hope this helps someone else out.

Answer 3

I have been banging my head against this problem for weeks!

Seems like I can't get my "default" microsoft account to work with this, no matter what. This worked:

1. Create a new user in Active Directory (make sure it's in the same tenant as the Key Vault)
2. Add access policy with needed permissions in Key Vault for this new user
3. Add new user to Azure Service Authentication in Visual Studio, and select it after
4. This may or may not be needed (given previous point), but set email of new user in DefaultAzureCredentialOptions: var options = new DefaultAzureCredentialOptions();
   options.SharedTokenCacheUsername = "email-of-new-user";
   keyVaultSecretClient = new SecretClient(new Uri(uri), new DefaultAzureCredential(options));