Share via

Replacing deprecated Microsoft.Azure.KeyVault by Azure.Security.KeyVault.Secrets and Azure.Security.KeyVault.Certificates

Maryam Rabii 21 Reputation points
2022-12-15T16:47:00.91+00:00

Hi,

In my old code I was using Microsoft.Azure.KeyVault which I recognized it is deprecated now i am trying to use Azure.Security.KeyVault.Secrets and Azure.Security.KeyVault.Certificates instead.
My goal connect is try to connect to key vault and retrieve certificate an 2 secrets that aare inthere
Here is my keyvault Set up
1- My application which retreives Keyvault secert and certificate is an on premise and .net 4.8 framework
2- Created a key vault and generated a new Certificate and added 2 secrets to key vault
3- Uploaded certificate in the app

In my **Previous code which was using **Microsoft.Azure.KeyVault****, my app pool idenetity on iis was a service account in Azure AD and that service account had "Key Vault Secrets User" access to the Key Vault and i could use the below code
to get certificate
private static async Task<X509Certificate2> ReadCertificateFromVault(string certName)
{
var serviceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(serviceTokenProvider.KeyVaultTokenCallback));
CertificateBundle certificate = null;
SecretBundle secret = null;

        certificate = await keyVaultClient.GetCertificateAsync($"https://{KeyVaultName}.vault.azure.net/", CertificateName);  
        secret = await keyVaultClient.GetSecretAsync(certificate.SecretIdentifier.Identifier);  


        return new X509Certificate2(Convert.FromBase64String(secret.Value));  
    }

I did not need to download any certificate on my local computer or capture and service account password to get the certificate and only by giving access to service account and set them as app pool identity in IIS and using KeyVaultClient, I could reach the vault and get certificate and Secrets.

Now that I am using Azure.Security.KeyVault.Secrets and Azure.Security.KeyVault.Certificates libraries
Is there any client that I could use my Ad Service account(Which is my app pool identity) the same way i used in my old code to access the Key vault?( I do not want to save any password in my any configs Also the ClientCertificateCredential in Azure.Security.KeyVault.Certificates libraries needs the path to certificate and I do not want to do any extra install of certificate on my Server to retrieve certificate from vault.

Someone suggested I use managedIdentity which in my case since my application is on premise I understand it will not work.

Any suggestion or snipped of code would be highly appreciated!

Thanks,

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,541 Reputation points Moderator
    2022-12-16T22:30:16.123+00:00

    Hello @Maryam Rabii , my guess is that you're using developer credentials (RunAs=CurrentUser) which is recommended for local development and does not require a certificate, or service principal with client certificate authentication (RunAs=App;AppId={AppId};TenantId={TenantId};). Moving to Azure.Security.KeyVault. you should use Azure.Identity for authentication. The recommended approach is to use client (app/sp) credentials with a certificate. For migratoin information and connection string and code samples, take a look at AppAuthentication to Azure.Identity Migration Guidance.

    Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.