Share via

Accessing Azure Key Vault in a Windows Server Container on an on-prem hybrid joined server with managed identities

Brandon Gilbert 0 Reputation points
2024-09-30T16:15:10.33+00:00

I am working on configuring an on-prem Windows Server 2022 production web server that is hybrid joined to Azure using Azure Arc. I will be running windows containers hosting asp.net core applications. The applications will use Azure Key vault for secret management. I would like for the application to use the hosts managed identity to access the key vault. I am using DefaultAzureCredential in the applications. On the host server I am able to access the keyvault with a sample application but when running this app inside the container I am not able to access it, and I get an error that ManagedIdentityCredential authentication failed. What do I need to give the container for it to use the host server's identity to access the key vault?

The app I am testing with is a console app. My program.cs is

using Azure.Core;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

var keyVaultName = "your-key-vault-name";
var secretName = "your-secret-name";
var kvUri = $"https://{keyVaultName}.vault.azure.net/";
var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());

try
{
  KeyVaultSecret secret = await client.GetSecretAsync(secretName);
  Console.WriteLine($"Secret Value: {secret.Value}");
}
catch (Exception ex)
{
  Console.WriteLine($"Failed to retrieve secret: {ex.Message}");
}

My docker file is for a windows server

My Docker command is

docker run -it --rm -e IDENTITY_ENDPOINT=$Env:IDENTITY_ENDPOINT -e IMDS_ENDPOINT=$Env:IMDS_ENDPOINT -v C:\azuretest:C:\azuretest --name my-app-container mcr.microsoft.com/windows/nanoserver:ltsc2022 cmd

The error I am getting is

Failed to retrieve secret: DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot
- EnvironmentCredential authentication unavailable. Environment variables are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/environmentcredential/troubleshoot
- WorkloadIdentityCredential authentication unavailable. The workload options are not fully configured. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/workloadidentitycredential/troubleshoot
- ManagedIdentityCredential authentication unavailable. No response received from the managed identity endpoint.
- Visual Studio Token provider can't be accessed at C:\Users\ContainerUser\AppData\Local\.IdentityService\AzureServiceAuth\tokenprovider.json
- Azure CLI not installed
- PowerShell is not installed.
- Azure Developer CLI could not be found.

When I try using the host server IP address I get the following error

A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond.

When I try just mapping the environment variables, I get the following error

Failed to retrieve secret: ManagedIdentityCredential authentication failed:

I tried mapping the IMDS environment variables, opening port 4032 on the host firewall, and using the host IP address but still receive this error.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,311 questions
.NET
.NET
Microsoft Technologies based on the .NET software framework.
3,915 questions
Azure Arc
Azure Arc
A Microsoft cloud service that enables deployment of Azure services across hybrid and multicloud environments.
435 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sina Salam 12,011 Reputation points
    2024-10-01T04:44:14.6866667+00:00

    Hello Brandon Gilbert,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    Regarding your scenario and explanation, there are couple of a few things you will need to resolve the issue:

    1. First confirm that system-assigned managed identity is enabled on your Azure resource by using this bash command: az vm show --resource-group <your-resource-group> --name <your-vm-name> --query identity --output json Use this link for more info - https://docs.microsoft.com/azure/active-directory/managed-identities-azure-resources/overview
    2. Configure Azure Key Vault Access Policy for access to your application using bash command: az keyvault set-policy --name <your-key-vault-name> --object-id <managed-identity-object-id> --secret-permissions get list For more info - https://docs.microsoft.com/azure/key-vault/general/assign-access-policy
    3. In your Docker, you will need to set environment variable as 
          `IDENTITY_ENDPOINT`
    `IMDS_ENDPOINT`
      and use: 
         docker run -it --rm -e IDENTITY_ENDPOINT=http://169.254.169.254/metadata/identity/oauth2/token -e IMDS_ENDPOINT=http://169.254.169.254/metadata/instance -v C:\azuretest:C:\azuretest --name my-app-container mcr.microsoft.com/windows/nanoserver:ltsc2022 cmd
    4. Make sure your application is using DefaultAzureCredential correctly. 
         using Azure.Identity;
   using Azure.Security.KeyVault.Secrets;
   // Create a secret client
   var client = new SecretClient(new Uri("https://<your-key-vault-name>.vault.azure.net/"), new DefaultAzureCredential());
   // Get a secret
   KeyVaultSecret secret = await client.GetSecretAsync("<your-secret-name>");
      For more info: https://docs.microsoft.com/dotnet/api/overview/azure/identity-readme

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.