Collectives™ on Stack Overflow

Find centralized, trusted content and collaborate around the technologies you use most.

Teams

Q&A for work

Connect and share knowledge within a single location that is structured and easy to search.

I want to connect my application to KeyVault. Usually, I could create a New Client Secret and use it in my code.

var _keyVaultClient = new KeyVaultClient(
    async (string authority, string resource, string scope) =>
    var authContext = new AuthenticationContext(authority);
    var clientCred = new ClientCredential(clientId, clientSecret);
    var result = await authContext.AcquireTokenAsync(resource, clientCred);
    return result.AccessToken;
I could create a new client secret from the Azure Portal.
Now, I can't find this option in KeyVault.
In Program.cs I have something like
var keyVaultEndpoint = new Uri(Environment.GetEnvironmentVariable("VaultUri"));
configApp.AddAzureKeyVault(keyVaultEndpoint, new DefaultAzureCredential());
Locally is working but when I deploy the application to Azure I have this error:
Application '/LM/W3SVC/1699246683/ROOT' with physical root
'C:\home\site\wwwroot' has exited from Program.Main with exit code =
'0'. First 30KB characters of captured stdout and stderr logs:
[10:15:57 FTL] Host terminated unexpectedly
Azure.Identity.CredentialUnavailableException: DefaultAzureCredential
failed to retrieve a token from the included credentials.
EnvironmentCredential authentication unavailable. Environment
variables are not fully configured.
ManagedIdentityCredential
authentication unavailable, no managed identity endpoint found.
SharedTokenCacheCredential authentication unavailable. No accounts
were found in the cache.
at Azure.Identity.DefaultAzureCredential.GetTokenAsync(Boolean isAsync,
TokenRequestContext requestContext, CancellationToken
cancellationToken)    at
Azure.Identity.DefaultAzureCredential.GetTokenAsync(TokenRequestContext
requestContext, CancellationToken cancellationToken)    at
Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.AuthenticateRequestAsync(HttpMessage
message, Boolean async)    at
Azure.Security.KeyVault.ChallengeBasedAuthenticationPolicy.ProcessCoreAsync(HttpMessage
message, ReadOnlyMemory1 pipeline, Boolean async)    at Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline, Boolean async)    at
Azure.Core.Pipeline.RetryPolicy.ProcessAsync(HttpMessage message,
ReadOnlyMemory1 pipeline, Boolean async)    at Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.ProcessAsync(HttpMessage message, ReadOnlyMemory1 pipeline)    at
Azure.Core.Pipeline.HttpPipelineSynchronousPolicy.ProcessAsync(HttpMessage
message, ReadOnlyMemory1 pipeline)    at Azure.Core.Pipeline.HttpPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)    at Azure.Security.KeyVault.KeyVaultPipeline.SendRequestAsync(Request request, CancellationToken cancellationToken)    at Azure.Security.KeyVault.KeyVaultPipeline.GetPageAsync[T](Uri firstPageUri, String nextLink, Func1 itemFactory, String
operationName, CancellationToken cancellationToken)    at
Azure.Core.PageResponseEnumerator.FuncAsyncPageable1.AsPages(String continuationToken, Nullable1 pageSizeHint)+MoveNext()    at
Azure.Core.PageResponseEnumerator.FuncAsyncPageable1.AsPages(String continuationToken, Nullable1
pageSizeHint)+System.Threading.Tasks.Sources.IValueTaskSource<System.Boolean>.GetResult()
at Azure.AsyncPageable1.GetAsyncEnumerator(CancellationToken cancellationToken)+MoveNext()    at Azure.AsyncPageable1.GetAsyncEnumerator(CancellationToken
cancellationToken)+MoveNext()    at
Azure.AsyncPageable1.GetAsyncEnumerator(CancellationToken cancellationToken)+System.Threading.Tasks.Sources.IValueTaskSource<System.Boolean>.GetResult() at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.LoadAsync() at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.LoadAsync() at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.Load() at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList1
providers)    at
Microsoft.Extensions.Configuration.ConfigurationBuilder.Build()    at
Microsoft.Extensions.Hosting.HostBuilder.BuildAppConfiguration()    at
Microsoft.Extensions.Hosting.HostBuilder.Build()    at
Skoruba.IdentityServer4.STS.Identity.Program.Main(String[] args) in
C:\Projects\IdentityServer4\src\Skoruba.IdentityServer4.STS.Identity\Program.cs:line
Process Id: 13436. File Version: 13.1.20234.8. Description: IIS
ASP.NET Core Module V2 Request Handler. Commit:
c75b3f7a2fb9fe21fd96c93c070fdfa88a2fbe97
You are using DefaultAzureCredential which combines credentials commonly used to authenticate when deployed, with credentials used to authenticate in a development environment. The DefaultAzureCredential will attempt to authenticate via the following mechanisms in order.
The reason it works in your local is most probably it's able to authenticate using one from your local box (the orange ones above).
Now for deployed environment, you need to do either of the following:
Setup Managed Service Identity and give access to Key vault. For example, in Azure App Service, enable that from Identity blade in portal and then assign access policy in the key vault (identity name will be same as the App Service name).
Or, 2. Set client credentials in Environment Variables (e.g. in App Settings in case of Web App).
        
Thanks for contributing an answer to Stack Overflow!
Please be sure to answer the question. Provide details and share your research!
But avoid …
Asking for help, clarification, or responding to other answers.
Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.