Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
DefaultAzureCredential, AppAuthentication and user defined managed identity
See original GitHub issueQuery/Question
We’re using a user defined managed identity to authenticate different azure services from our app service. We are using the AppAuthentication package to support Active directory interactive authentication to Azure SQL. After a long time of fiddling, we found out we need to use the AzureServicesAuthConnectionString environment variable to let the AppAuthentication package know what user defined managed identity to use (we’re still in the dark as why it is possible to determine multiple user defined managed identities, but that is a query for another day).
Now we used to use the Microsoft.Azure.KeyVault package to access the keyvault, and this package played nice with the AppAuthentication package. We got secrets from the KeyVault with code like this:
var tokenProvider = new AzureServiceTokenProvider();
using (var kvc = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(tokenProvider.KeyVaultTokenCallback)))
{
return await kvc.GetSecretAsync(keyValueUrl, "ASecret")).Value;
}
Since this nuget package is deprecated, we moved to Azure.Security.KeyVault.Secrets. However, this new package doesn’t seem to have any integration with the AppAuthentication package. Apparently we need to use the DefaultAzureCredential class as authentication. The code we currently use is:
SecretClientOptions options = new SecretClientOptions()
{
Retry = {
Delay= TimeSpan.FromSeconds(2),
MaxDelay = TimeSpan.FromSeconds(16),
MaxRetries = 5,
Mode = RetryMode.Exponential
}
};
var client = new SecretClient(AzureKeyVaultUrl, new DefaultAzureCredential(), options);
var keyVaultSecret = client.GetSecret(name, version).Value;
return keyVaultSecret.Value;
However, this seems to require me to set the AZURE_CLIENT_ID environment variable to determine the identity to use. By using this new package, do we really need to store the used identity in both the AzureServicesAuthConnectionString and AZURE_CLIENT_ID? We don’t want to store the same settings in multiple places. Is there a better way to do this?
Environment:
- Name and version of the Library package used: Azure.Security.KeyVault.Secrets 4.0.3, Microsoft.Azure.Services.AppAuthentication 5.0.0
- Hosting platform: Azure AppService
- IDE and version : Visual Studio 16.7 (not relevant)
Issue Analytics
- State:
- Created 3 years ago
- Reactions:2
- Comments:8 (4 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
If I’m required to write my own credential to accomplish the same, it would be a significant step back from the old package. I think the better solution would be to make the new
Azure.Security.KeyVault.Secretspackage play nice withAppAuthenticationto restore compatibility.Even better would be to make setting a user defined managed identity an an app service similar to enabling a system assigned managed identity (without having to set extra environment variables to specify WHICH user defined managed identity to use), but I don’t think this last part is something that can be accomplished in the SDK.
Closing this issue since we are tracking support for SQL auth in #12145