Accessing Azure Key Vault from local IP address

Question

Hello, I have a Blazor Server App that needs to read secrets out of Azure Key Vault. I have the Key Vault set to "Selected Networks" and I have a private endpoint that is Approved/Succeeded. I know I cannot use the private endpoint unless the web app is on the same VNet as the Key Vault, that endpoint is for production. Right now, I am just trying to establish a connection for testing locally and would prefer not to have to publish the app to azure first if at all possible. I have added my local IP address to the firewall options to allow access from my IP and I have an access policy with every permission and permission model set to Vault access policy. I also have "Allow trusted Microsoft services to bypass this firewall" set to No but this is not a trusted service so it should not matter (and I'm pretty sure I tried with it set to Yes as well).

I've tried:

• Assigning myself the Key Vault admin/contributor roles and setting the permission model to role-based access control using interactive credentials
• Using the both the hostname and IP address of the Vault URI using interactive credentials
• Trying to authenticate a Key Vault connection through Visual Studio (it just hangs on the "Verifying that your application will have access to the key vault" indefinitely)

For the first two points I get the "Connection is not an approved private link and caller was ignored because bypass is not set to 'AzureServices' and PublicNetworkAccess is set to 'Disabled'." Is there any way to actually connect from a local web app without deploying it to get a client ID and secret first? And without exposing it to all networks?

Answer 1

After many days of banging my head against a wall, reading countless forum posts, and possibly every document about Azure Key Vaults, I finally resolved my issue.

Problem:
I don't know if this is even documented anywhere because I did not find the answer anywhere online. I found it by sheer luck and determination, trying every tiny idea that I could come up with. It turns out my issue was the way the Key Vault was created. When you are creating a Key Vault resource, during the "Networking" step, if you choose to start with the "Private endpoint" option, it will disable public network access, even if you add a public IP or virtual network to the firewall, and even if you set the firewall to allow access from "All networks". It will not let anything other than the private endpoint through.

Solution:
The solution was to create the Key Vault with initial access as either "All networks" or "Selected networks". Then setting my IP address as the only IP address allowed past the firewall worked properly and I was able to authenticate through Visual Studio and through the interactive browser using DefaultAzureCredential(true). I was also able to create a private endpoint for the new vault that I can properly use from the VNet but it does not disable my firewall settings so I am still able to access the vault from my local IP address (and not from any other IP addresses).

Main Points:
If you want to be able to authenticate to your Key Vault from ONLY your IP address and a private endpoint (for development and production environments, respectively) then:

1. Make sure you first create the vault without a private endpoint otherwise it will disable all other options with no way around it. You can add a private endpoint after it is created and use both your IP and the endpoint properly.
2. Make sure you have the correct access policies to the vault set on your account user for local authentication. Either through the permissions in "Vault access policy" or through the IAM roles with "Azure role-based access control".

Answer 2

Hello @Wes Thompson , you can run your application locally and authenticate as an Azure AD application or user (delegated authentication). To enable public networking access to key vault you can use tools such as az cli (Sample command below) to later allow access from selected public IP's trough the firewall.

az keyvault update --public-network-access enabled --name <KEYVAULT NAME>

Let us know if this answer was helpful to you or if you need additional assistance. If it was helpful, please remember to accept it and complete the quality survey so that others in the community with similar questions can more easily find a rated solution.