TechQA.

Authentication to Azure Key Vault

91 views Asked by At

I think I'm having difficulty understanding authentication for public client applications, specifically in relation to the Azure key vault.

I've been able to write some C# which builds a public client application, registered with Azure, and I can authenticate using a broker and my Windows domain login to get an oauth token without having to provide any password. I've successfully used that oauth token to call the RESTful API for the key vault, and have retrieved some secrets. I've used RBAC to grant the necessary permissions.

However, I know I'm supposed to use SecretClient to accomplish this. SecretClient requires a credential, but what I have is an oauth token. How can I create a credential that uses my oauth token?

I've been playing with the DefaultAzureCredential object, but I've only been able to get this working with environment variables (using a confidential client, which isn't what I want), or with my Visual Studio credentials. This then doesn't work on the test PC.

Any assistance would be greatly appreciated!

Below is an example of the code I thought would work on a domain joined PC where the user is logged in with their Entra ID.

        string tenantId = "<my tenant>";

        DefaultAzureCredentialOptions options = new DefaultAzureCredentialOptions();
        options.TenantId = tenantId;
        options.ExcludeEnvironmentCredential = true;
        DefaultAzureCredential credential = new DefaultAzureCredential(options);


        SecretClient client = new SecretClient(new Uri("https://mykeyvault.vault.azure.net/"), credential);

        string secretValue = client.GetSecret("mysecret").Value.Value;

        MessageBox.Show(secretValue);
c# oauth-2.0 azure-keyvault .net-8.0 defaultazurecredential
Original Q&A
1

There are 1 answers

0
Venkatesan On

However, I know I'm supposed to use SecretClient to accomplish this. SecretClient requires a credential, but what I have is an OAuth token. How can I create a credential that uses my OAuth token?

According to this MS-Document, it is not possible to access SecretClient without credentials.

The SecretClient requires a credential to authenticate with the Azure service, with DefaultAzureCredential or ClientSecretCredential.

In ClientSecretCredential, you also need to pass clientId, clientSecret, and tenantId to fetch the secrets from KeyVault.

Code:

using Azure.Security.KeyVault.Secrets;
using Azure.Identity;


namespace sample
{
    class Program
    {
        static async Task Main(string[] args)
        {
            string clientId = "xxxx";
            string clientSecret = "xxxxx";
            string tenantId = "xxxxx";

            var clientCredential = new ClientSecretCredential(tenantId, clientId, clientSecret);
            var client = new SecretClient(new Uri("https://<keyvaultname>.vault.azure.net/"), clientCredential);

            string secretValue = client.GetSecret("secret").Value.Value;

            Console.WriteLine(secretValue);
        }
    }
}

As of now, you need to use PCA (OAuth token) flow only.

Reference: Azure Key Vault secret client library for .NET - Azure for .NET Developers | Microsoft Learn

Related Questions in C#

Related Questions in OAUTH-2.0

Related Questions in AZURE-KEYVAULT

Related Questions in .NET-8.0

Related Questions in DEFAULTAZURECREDENTIAL

Popular Questions

Popular Tags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Trending Questions