Programatically SetSecrets to Key Vault in C# using DefaultAzureCredential()

0

Can someone please help me with the following error:

Azure.RequestFailedException
  HResult=0x80131500
  Message=Service request failed.
Status: 401 (Unauthorized)    
Content:
{"error":{"code":"Unauthorized","message":"AKV10032: Invalid issuer. Expected one of https://sts.windows.net/db8e2ba9-95c1-4fbb-b558-6bf8bb1d2981/, https://sts.windows.net/f8cdef31-a31e-4b4a-93e4-5f571e91255a/, https://sts.windows.net/e2d54eb5-3869-4f70-8578-dee5fc7331f4/, found https://sts.windows.net/6e51e1ad-c54b-4b39-b598-0ffe9ae68fef/."}}

This is my code:

protected string CreateVendorApiServerSecret(string name, string secret)
        {         
            var client = new SecretClient(new Uri(KeyvaultUri), new DefaultAzureCredential());
            var secret = new KeyVaultSecret(name, secret);
            client.SetSecret(secret, default); //I get the error here
            KeyVaultSecret getSecret = client.GetSecret(name);
            string identifier = getSecret.Id.ToString();
            return identifier;
        }

If I give TenantId in the config files. It gives the following error:

Message=DefaultAzureCredential failed to retrieve a token from the included credentials.
EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
ManagedIdentityCredential authentication unavailable, no managed identity endpoint found.
SharedTokenCacheCredential authentication unavailable.
azure-keyvault
asked on Stack Overflow Oct 22, 2020 by fifi • edited Oct 23, 2020 by Allen Wu

1 Answer

0

Please learn details about DefaultAzureCredential.

Environment - The DefaultAzureCredential will read account information specified via environment variables and use it to authenticate.

Managed Identity - If the application is deployed to an Azure host with Managed Identity enabled, the DefaultAzureCredential will authenticate with that account.

Visual Studio - If the developer has authenticated via Visual Studio, the DefaultAzureCredential will authenticate with that account.

Visual Studio Code - If the developer has authenticated via the Visual Studio Code Azure Account plugin, the DefaultAzureCredential will authenticate with that account.

Azure CLI - If the developer has authenticated an account via the Azure CLI az login command, the DefaultAzureCredential will authenticate with that account.

Interactive - If enabled the DefaultAzureCredential will interactively authenticate the developer via the current system's default browser.

I'm not sure you are using which mechanism to authenticate.

The easiest way is sign in Visual Studio with your Azure account. Then the DefaultAzureCredential will authenticate with that account.

No matter which mechanism you are using, make sure that the account has access to the key vault which you are trying to set secret into.

In your case, the reason should be you are using an account which may be probably from another tenant. Please check.

There is an official sample here.

Use Visual Studio to open the project and then sign in VS with your Azure account. Make sure this account has access to your Azure Key Vault.

Replace string keyVaultName = Environment.GetEnvironmentVariable("KEY_VAULT_NAME"); with string keyVaultName = "{your own key vault name}"; {your own key vault name} should be an existing key vault which you have created.

answered on Stack Overflow Oct 23, 2020 by Allen Wu

User contributions licensed under CC BY-SA 3.0