Use Azure Vault Secret from onpremise Web Application

Question

I would to use An Azure Vault Secret from a On Premise Web Application.

I created a Key Vault with a Secret, but in Access Policies i should specify an Authorized Applic

Answer 1

Well, something will need to authenticate to access the secret. Either the current user, or you can use a service principal.

Since we are talking about an MVC app, the service principal is probably easier. You will need to register a new app in Azure Active Directory via the Azure Portal. Find Azure AD, and register a new app via App registrations.

The name and URLs don't really matter, but it needs to be of type Web app/API. The sign-on URL can be https://localhost for example. Then add a key in the Keys blade to the app (click Settings after the app is created, then Keys). Copy the client id (application id) and the key somewhere.

Now you can go to your Key Vault, and create a new access policy, and choose the app you created as the principal. Give it the rights you want, like Secrets -> Get. Then you can save the policy.

In your app, you can then use the Key Vault library + ADAL like so:

var kvClient = new KeyVaultClient(async (authority, resource, scope) =>
{
    var context = new AuthenticationContext(authority);
    var credential = new ClientCredential("client-id-here", "key-here");
    AuthenticationResult result = await context.AcquireTokenAsync(resource, credential);
    return result.AccessToken;
});

SecretBundle secret = await kvClient.GetSecretAsync("https://yourvault.vault.azure.net/", "secret-name");
string secretValue = secret.Value;