How to access azure keyvault through on-premise API using service principal and secret?

Sabanovic, Maid 0 Reputation points
2023-02-06T10:41:44.27+00:00

I'm trying to figure out how to access secrets in azure keyvault using an on-premise .Net Core 3.1 API. The authentication method is to use service principal and the client secret to access key vault.

I'm following this tutorial from Microsoft:https://learn.microsoft.com/en-us/dotnet/azure/sdk/authentication-on-premises-apps?tabs=azure-portal%2Cwindows%2Ccommand-line

But I'm struggling at heading 4 "Implement DefaultAzureCredential in application".

This is my Startup.cs file:

public void ConfigureServices(IServiceCollection services)
        {
            var tenantId = Configuration["AzureAd:TenantId"];
            var clientId = Configuration["AzureAd:ClientId"];
            var clientSecret = Configuration["AzureAd:ClientSecret"];
            var kvUri = Configuration["AzureAd:KvUri"];
            services.AddAzureClients(x =>
            {
                x.AddSecretClient(new Uri(kvUri));
                x.UseCredential(new ClientSecretCredential(tenantId, clientId, clientSecret));
            });

Now I want to retrieve a secret from a vault by executing a reoute endpoint. But there are not documentations or tutorials on what code to add in my Controller. It currently looks like this. SecretsController:

public SecretsController(SecretClient client)
        {
            secretsClient = client;
        }
...


[HttpGet("GetSecrets")]
        public async Task<string> Get()
        {
            var mySecretValue = await secretsClient.GetSecretAsync("MySecret2");
            return "MySecret value is: " + mySecretValue.Value.Value;
        }

When executing the endpoint I get 401 Error, authentication failed.

I added the service principal under "Access Policies" in keyvault. Also I added access control for the resource group and assigned that to the principal, like in the mentioned microsoft docs. Under "Check access" in the keyvault I can see that the principal has "keyvault administrator acess"so that should be right too.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,113 questions
ASP.NET Core
ASP.NET Core
A set of technologies in the .NET Framework for building web applications and XML web services.
4,157 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. JamesTran-MSFT 36,366 Reputation points Microsoft Employee
    2023-02-09T21:49:21.0866667+00:00

    @Sabanovic, Maid

    Thank you for your post!

    Error Message: Azure Key Vault REST API Error Codes 401

    HTTP 401: Unauthenticated Request

    From your error message, can you make sure that you sent the authentication token within your GET request? I'd also make sure that you can decode your token via https://jwt.ms to ensure you have the correct tenant ID, client ID, and resource within your token.

    I found some DefaultAzureCredential examples, that might help point you in the right direction. To create a new SecretClient to create, get, update, or delete secrets, you need the endpoint to an Azure Key Vault and credentials. For more info - Creating a SecretClient.

    var client = new SecretClient(new Uri(keyVaultUrl), new DefaultAzureCredential());

    Additional Links:

    I hope this helps!