Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,126 questions
How do I access KeyVault from a .NET console app Azure Batch job?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(105.60000000000001, 16%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJH%3C/text%3E%3C/svg%3E)
Jeanie Huynh
1
Reputation point
I have a .NET console app job that needs to read a secret from KeyVault. The .NET console app is uploaded to run on an Azure Batch job. I am using the Microsoft.Azure.Services.AppAuthentication package and here is the snippet of code trying to access the KeyVault:
var azureServiceTokenProvider = new AzureServiceTokenProvider("RunAs=App;AppId={my managed identity's client ID}");
KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync(cacheKey);
I keep getting this error though when the job is run from Azure Batch:
INNER EXCEPTION: MESSAGE: Parameters: Connection String: RunAs=App;AppId={client id}, Resource: https://vault.azure.net, Authority: https://login.windows.net/{redacted}. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. Received a non-retryable error. MSI ResponseCode: BadRequest, Response: {"error":"invalid_request","error_description":"Identity not found"}
{count} votes
-
prmanhas-MSFT 17,891 Reputation points Microsoft Employee2021-05-25T07:56:59.467+00:00 @Jeanie Huynh Can you please confirm if you have already followed below:
https://learn.microsoft.com/en-us/dotnet/api/overview/azure/service-to-service-authentication
https://learn.microsoft.com/en-us/azure/batch/credential-access-key-vaultThanks
-
Jeanie Huynh 1 Reputation point
2021-05-25T10:21:47.583+00:00 Hi @prmanhas-MSFT ! Yes, I've followed those documentations. I've made sure the user-assigned identity has proper access policies in the Key Vault, the identity is assigned to the Batch Pool, and that I've included a connection string in the AzureServiceTokenProvider call (because it's user-assigned).
Thanks!
-
prmanhas-MSFT 17,891 Reputation points Microsoft Employee
2021-06-07T06:26:54.987+00:00 @Jeanie Huynh Just following up to check if you got a chance to go through my previous response?
Do let me know in case of any queries.
Thanks
Sign in to comment