Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Getting "KeyVaultErrorException: Access denied" in Azure web app
See original GitHub issueHi!
I’m successfully retrieving a Key Vault secret in an ASP.NET Core 2 web app when running locally, but when deployed to an Azure web app, I get this:
[Critical] Microsoft.AspNetCore.Hosting.Internal.WebHost: Application startup exception
Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: Access denied
at Microsoft.Azure.KeyVault.KeyVaultClient.<GetSecretsWithHttpMessagesAsync>d__66.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.<GetSecretsAsync>d__49.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.TaskAwaiter`1.GetResult()
at Microsoft.Extensions.Configuration.AzureKeyVault.AzureKeyVaultConfigurationProvider.<LoadAsync>d__5.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable.ConfiguredTaskAwaiter.GetResult()
at Microsoft.Extensions.Configuration.AzureKeyVault.AzureKeyVaultConfigurationProvider.Load()
at Microsoft.Extensions.Configuration.ConfigurationRoot..ctor(IList`1 providers)
at Microsoft.Extensions.Configuration.ConfigurationBuilder.Build()
at IdentityServer.Startup.ConfigureServices(IServiceCollection services)
In Startup.cs, I’m doing this:
public void ConfigureServices(IServiceCollection services)
{
var keyVaultClient =
new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(new AzureServiceTokenProvider().KeyVaultTokenCallback));
var configuration = new ConfigurationBuilder()
.AddEnvironmentVariables()
.AddUserSecrets<Startup>()
.AddAzureKeyVault("https://[redacted].vault.azure.net/", keyVaultClient, new DefaultKeyVaultSecretManager())
.Build();
...
I have more or less followed this: https://jeremylindsayni.wordpress.com/2018/03/19/simplifying-azure-key-vault-and-net-core-web-app-includes-nuget-package/
To be precise, I have enabled “Managed service identity”, and I have added a Key Vault access policy with the name of the app under “Select principal” as well as “Authorized application”. I have selected all secret permissions. I have tried restarting the web app.
I have not run any PowerShell command. Do I still have to?
This is with Microsoft.Azure.Services.AppAuthentication v1.1.0-preview.
Issue Analytics
- State:
- Created 5 years ago
- Comments:13 (3 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
I think I found the problem: When adding the access policy, there’s a field for “Select principal” and another for “Authorized application”. In both cases the app name can be selected, but the trick is to leave the second one blank!
This could certainly be improved with some extra guidance, and a more helpful error message.
Phew, I’ve just spent two hours of my customer’s time with figuring this one out. We certainly do need a quick fix here! Many thank @torhovland for reporting this, you’ve made my day. 😃