Use API web app for DefaultAzureCredential

Bryan Apilada 0 Reputation points
2024-04-24T05:49:31.9833333+00:00

I created a key vault using .net and have added access policies which allows access for the api web application to create keys, secrets, and certificates. The goal would be able to create keys, secrets, and certificates through .net c# code.
User's image

I tried creating a secret using this code using visual studio:

  var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
                Response<KeyVaultSecret> keysec = await client.SetSecretAsync(secretName, secretValue);

As I understood, it's using my credentials set in visual studio when trying to create a secret but in my key vault, only the api web app has the access to do so. Thus returning this error below:

Azure.RequestFailedException: 'Service request failed.
Status: 403 (Forbidden)
Content:
{"error":{"code":"Forbidden","message":"The user, group or application 'appid=<actual value removed for security>;numgroups=3;iss=https://sts.windows.net/
<actual value removed for security>
/' does not have secrets set permission on key vault 'kv-velocity-poc8;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287","innererror":{"code":"AccessDenied"}}}

Is it possible to use the web app for the DefaultAzureCredential to authenticate and allow creating of keys, secrets, and certificates? If not, what other way can it be done?

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,126 questions
.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,398 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 27,711 Reputation points Microsoft Employee
    2024-04-30T08:47:11.6966667+00:00

    @Bryan Apilada

    Thanks for reaching out.

    Yes, it is possible to use the web app for the DefaultAzureCredential to authenticate and allow creating of keys, secrets, and certificates. The DefaultAzureCredential class supports multiple authentication methods and determines which method should be used at runtime.

    1. Environment - The DefaultAzureCredential will read account information specified via environment variables and use it to authenticate.
    • For Environment, we need to set the Azure - ClientID, Client Secret and TenantID in the Visual Studio local Environment Variables.
    1. Managed Identity - If the application is deployed to an Azure host with Managed Identity enabled, the DefaultAzureCredential will authenticate with that account. To use Managed Identity the Application has to be deployed in Azure App Service. Reference -https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/keyvault/Azure.Security.KeyVault.Keys/README.md Alternatively, to authenticate using the web app, you can use the InteractiveBrowserCredential class provided by the Azure Identity client library. This class allows users to authenticate with Microsoft Entra ID interactively through a web browser. Similar issue - https://stackoverflow.com/questions/69810410/how-to-give-credentials-defaultazurecredential-to-azure-c-sharp-secretclient

    Thanks,

    Shweta

    Please remember to "Accept Answer" if answer helped you.

    0 comments