Can I use user principal to access Azure key vault from On-prem ?

Question

Can I use user principal to access Azure key vault from On-prem ?

Crazyhead 0

Hi,

Can we use user principal to access Azure key vault programmatically from on-prem? we have a specific usecase that requires storing service principal credentials in the Azure key vault but the app needs to connect from on-prem.

Thanks!

Vahid Ghafarpour 23,385 Reputation points Volunteer Moderator

2023-08-10T18:17:36.4133333+00:00

https://learn.microsoft.com/en-us/azure/key-vault/general/client-libraries
Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator

2023-08-16T04:45:58.8566667+00:00

@Crazyhead

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

3 answers

Your answer

Vahid Ghafarpour 23,385 Reputation points Volunteer Moderator

2023-08-10T18:17:36.4133333+00:00

https://learn.microsoft.com/en-us/azure/key-vault/general/client-libraries
Sandeep G-MSFT 20,906 Reputation points Microsoft Employee Moderator

2023-08-16T04:45:58.8566667+00:00

@Crazyhead

Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread.

Answer 1

Vahid Ghafarpour 23,385 Volunteer Moderator

You can use key vault libraries depending on your technology

https://learn.microsoft.com/en-us/azure/key-vault/general/client-libraries

Keep in mind to set policies.

Configure an access policy in the Azure Key Vault that allows the User Principal's Managed Identity to access the necessary secrets.
This access policy should include permissions like Get and List.

Crazyhead 0 Reputation points

2023-08-10T18:37:35.1133333+00:00

Thanks Vahid. But my question is about authentication from on-prem to Azure key vault using the User Principal

Answer 2

TP 125.8K Volunteer Moderator

Hi,

Yes, you can access Azure Key Vault from on premises, provided the networking settings on the vault permit it.

Please click Accept Answer if the above was useful.

Thanks.

-TP

Crazyhead 0 Reputation points

2023-08-10T18:39:56.3433333+00:00

Hi TP, My question is about Authentication using user principal to access Azure key vault.
TP 125.8K Reputation points Volunteer Moderator

2023-08-10T19:27:42.9633333+00:00
Hi,

Yes, I understand you want to authenticate using user principal. When you attempt to access key vault from on premises using a user principal, is there an error you are receiving?

For example, you can run below CLI sample code to retrieve secret from on premises:

az login az rest -m get -u "https://<yourvaultname>.vault.azure.net/secrets/testsecret?api-version=7.4" --resource "https://vault.azure.net"

Before running above sample, you need to grant secret get permission to the account that you will use to authenticate via az login.
Crazyhead 0 Reputation points

2023-08-10T19:41:42.4466667+00:00

Thanks. But in my use case, my application needs to connect to Azure key vault using the user principal not through CLI.
TP 125.8K Reputation points Volunteer Moderator

2023-08-10T19:57:30.5+00:00

CLI is an application, just like your application is an application. I used it as an example because it was a quick way to demonstrate that an application running on premises can use a user principal to authenticate to key vault. CLI makes calls to Azure REST APIs just like your application can.

Is there a specific error you are receiving when you attempt to access key vault from your application using a user principal? Can you post small sample code where you are attempting to access key vault and it fails?
Crazyhead 0 Reputation points

2023-08-10T21:36:39.7666667+00:00

I understand what is CLI. CLI can be used only in your development environment not suitable for Test or Prod environment.
TP 125.8K Reputation points Volunteer Moderator

2023-08-11T09:38:07.4+00:00

My point is not to have you use CLI. Rather, it is that you can have your application use the same technique that CLI uses. Namely, use Proof Key for Code Exchange (PKCE) to obtain token for user principal, and then use this token to access Azure Key Vault.

Basically your application would listen on localhost ephemeral port for incoming http request, open Azure AD authentication page using default web browser, user signs in to Azure AD, page redirects to localhost, your application uses the returned auth code/client id/etc. to obtain token from AAD, then finally uses token to access key vault.

Microsoft identity platform and OAuth 2.0 authorization code flow

https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
TP 125.8K Reputation points Volunteer Moderator

2023-08-16T17:49:14.3166667+00:00

@Crazyhead Is my last post clear? If you need help or more explanation on a specific step add a comment below.
TP 125.8K Reputation points Volunteer Moderator

2023-08-22T13:42:59.3933333+00:00

@Crazyhead Any progress?

Answer 3

James Hamil 27,221 Microsoft Employee Moderator

Hi @Crazyhead , yes, this should work. You need to register an application with AAD and then authorize the application to access the key or secret in the vault using the az keyvault set-policy command. You can then use the appropriate SDK or REST API to access the Key Vault from your on-premises application. Make sure to use proper authentication methods like DefaultAzureCredential class provided by the Azure Identity client library for passwordless connections to Azure services.

Please let me know if you have any questions and I can help you further.

If this answer helps you please mark "Accept Answer" so other users can reference it.

Thank you,

James

Crazyhead 0 Reputation points

2023-08-10T21:09:31.1466667+00:00
Thanks James. Yes, I did try registering my app in AAD and created a client secret. I was able to access the Azure key vault from Postman using REST API. But my requirement is ,

My application is running on-prem

it needs to access Azure resources using the service principal with client's secret

But the Service principal client's secrets need to be stored in a key vault.

the problem here is Azure key vault itself is an Azure resource in order to access it, the application running on-prem should have either another service principal or need to use a user principal.

Share via

Can I use user principal to access Azure key vault from On-prem ?

3 answers

Your answer