Always Encrypted with Azure KeyVault and Managed Identity causing Azure.Identity.CredentialUnavailableException

Shiraj Shaikh 1 Reputation point
2021-06-04T18:39:59.97+00:00

I am running the below code locally which is trying to save the data in Azure Sql db table encrypted column.
I am using visual studio 2019, and Azure Service Authentication account has been configured. This account has all the necessary permission to access the key vault.

Am I missing anything?

Error

Azure.Identity.CredentialUnavailableException
HResult=0x80131500
Message=ManagedIdentityCredential authentication unavailable. No Managed Identity endpoint found.
Source=Azure.Identity
StackTrace:
at Azure.Identity.ManagedIdentityClient.<AuthenticateAsync>d__12.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
at System.Threading.Tasks.ValueTask1.get_Result() at System.Runtime.CompilerServices.ConfiguredValueTaskAwaitable1.ConfiguredValueTaskAwaiter.GetResult()
at Azure.Identity.ManagedIdentityCredential.<GetTokenImplAsync>d__9.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at Azure.Identity.CredentialDiagnosticScope.FailWrapAndThrow(Exception ex)
at Azure.Identity.ManagedIdentityCredential.<GetTokenImplAsync>d__9.MoveNext()
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd(Task task)
at System.Threading.Tasks.ValueTask1.get_Result() at System.Runtime.CompilerServices.ValueTaskAwaiter1.GetResult()
at Azure.Core.Pipeline.TaskExtensions.EnsureCompleted[T](ValueTask1 task) at Azure.Identity.ManagedIdentityCredential.GetToken(TokenRequestContext requestContext, CancellationToken cancellationToken) at GoPassOrg.BL.DbContext.GoPassOrgDbContext.<>c.<AzureActiveDirectoryAuthenticationCallback>b__6_0() in C:\Data\GitRepos\GoPassOrg\src\GoPassOrg.BL\DbContext\GoPassOrgDbContext.cs:line 59 at System.Threading.Tasks.Task1.InnerInvoke()
at System.Threading.ExecutionContext.RunFromThreadPoolDispatchLoop(Thread threadPoolThread, ExecutionContext executionContext, ContextCallback callback, Object state)

This exception was originally thrown at this call stack:
[External Code]
GoPassOrg.BL.DbContext.GoPassOrgDbContext.AzureActiveDirectoryAuthenticationCallback.AnonymousMethod__6_0() in GoPassOrgDbContext.cs
[External Code]

Code

public MyDbContext(DbContextOptions<MyDbContext> options) : base()
{
if (!_isInitialized)
{
InitializeAzureKeyVaultProvider(); _isInitialized = true;
}
}

private static void InitializeAzureKeyVaultProvider()
{
var sqlColumnEncryptionAzureKeyVaultProvider =
new SqlColumnEncryptionAzureKeyVaultProvider(AzureActiveDirectoryAuthenticationCallback);

                                                            // Register AKV provider
                                                            SqlConnection.RegisterColumnEncryptionKeyStoreProviders(
                                                                            new Dictionary<string, SqlColumnEncryptionKeyStoreProvider>(1, StringComparer.OrdinalIgnoreCase)
                                                                            {
                                                                                            {SqlColumnEncryptionAzureKeyVaultProvider.ProviderName, sqlColumnEncryptionAzureKeyVaultProvider}
                                                                            });

                                                            _isInitialized = true;
                                            }


                                            private static async Task<string> AzureActiveDirectoryAuthenticationCallback(string authority, string resource, string scope)
                                            {
                                                            return await Task.Run(() => new ManagedIdentityCredential()
                                                                            .GetToken(new TokenRequestContext(new string[] { "https://vault.azure.net/.default" })).Token);

                                            }
Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,115 questions
Azure SQL Database
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,466 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 33,801 Reputation points Microsoft Employee
    2021-06-04T21:49:02+00:00

    Since you mention that you are running from your local development environment, the code to access the Key Vault will be using the developer context rather than the managed identity. You need to grant permissions to access the key vault to yourself or whoever is trying to access it.

    Please try running this after deploying it to the Azure app service. In your instance of the App Service, click 'Identity' under 'Settings' on the left, and then make sure the 'Status' is 'On' under the 'System assigned' tab.

    If you still have this issue let me know and I can will with the product team if there is anything else that could be causing this.

    See also:
    https://learn.microsoft.com/en-us/answers/questions/380576/managedidentitycredential-authentication-unavailab.html
    https://learn.microsoft.com/en-us/answers/questions/380576/managedidentitycredential-authentication-unavailab.html
    https://github.com/Azure/AppConfiguration/issues/201

    0 comments