Exception while connecting to KeyVault from Azure VM

狂风中的少年 提交于 2021-01-29 07:58:53

问题


I am running my applictaion from Azure VM and trying to connect with KeyVault. But I am getting below exception

Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/1e465dc8-5f36-4ab9-9a49-57cbfdcfdf9a. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.

Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/1e465dc8-5f36-4ab9-9a49-57cbfdcfdf9a. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.

Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/1e465dc8-5f36-4ab9-9a49-57cbfdcfdf9a. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. Exception for Visual Studio token provider Microsoft.Asal.TokenService.exe : TS003: Error, TS001: This account 'username' needs re-authentication. Please go to Tools->Azure Services Authentication, and re-authenticate the account you want to use.

Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: https://login.windows.net/1e465dc8-5f36-4ab9-9a49-57cbfdcfdf9a. Exception Message: Tried to get token using Azure CLI. Access token could not be acquired. 'az' is not recognized as an internal or external command, operable program or batch file.

I have checked the prerequisite such as - 1. created the KeyVault in the same resource group of the VM and added 2 secrets. 2. checked that the VM is registered in Active Directory and that it has a system assigned identity. 3. added access policy allowing read and list secrets to the VM.

Here is the code, What I am missing

public void ConfigureServices(IServiceCollection services)
        {
         services.AddMvc().SetCompatibilityVersion(CompatibilityVersion.Version_2_1);

            var azureServiceTokenProvider = new AzureServiceTokenProvider();
            var keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));

            var secret = keyVaultClient.GetSecretAsync($"https://vaultname.vault.azure.net/Secrets/connString").Result.Value;

回答1:


Errors are indicating authentication issue, so 2 things to validate in order;

  • Confirm the VM can query Azure Metadata service
Invoke-RestMethod -Headers @{"Metadata"="true"} -URI "http://169.254.169.254/metadata/instance/compute/vmId?api-version=2017-08-01&format=text" -Method get`

Image 1

If above query is successful then check the Identity API on the metadata service but if it fails then there is a communication issue between VM and Azure environment.

  • Confirm the VM can query the Identity API of Azure Metadata service
Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F' -Headers @{Metadata="true"}

Image 2

If above query is successful then there is nothing wrong with MSI.




回答2:


The problem was with the nuget version on Microsoft.Azure.Services.AppAuthentication. Version 1.0.3 solves this.



来源:https://stackoverflow.com/questions/57678993/exception-while-connecting-to-keyvault-from-azure-vm

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!