VM: Unable to Add Azure Key Vault Through AzureServiceTokenProvider: No Connection string

[sirlukecoop]

I tried to connect to an Azure Key Vault via a Virtual Machine with the AzureServiceTokenProvider pattern, but failed (see 1 below). The VM was setup for MSI. As a I stepped through the code, I noticed that it checks the environment variables for some MSI related configuration but my VM had neither of the variables. Since I added the Identity after I created the VM, I thought maybe if I setup a new VM with Identity set from the get-go everything would be good. I was wrong.
Error: Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException: Parameters: Connectionstring: [No connection string specified]

So, I followed the steps in link 2 (which I should have used in the first place). Essentially, these instructions make calls through the REST API. It mostly works, though it is not as syntactically sugary.

1. https://docs.microsoft.com/en-us/azure/key-vault/tutorial-net-create-vault-azure-web-app#open-and-edit-the-solution
2. https://docs.microsoft.com/en-us/azure/key-vault/tutorial-net-windows-virtual-machine

What's strange is that the backup behavior of attempt 1 is to contact the IDMS instance (169.254.169.254/metadata/identity/oauth2/token) that attempt 2 explicitly calls. I'm out of time to understand what the missing link is.

However, if anyone has the same problem, I'd be glad to submit a PR with my solution. All I did was mix 1 and 2. Or if someone could show me how I'm over complicating things, that'd be even better.

Solution:

var keyVaultEndpoint = Environment.GetEnvironmentVariable("KEYVAULT_ENDPOINT");
if (!string.IsNullOrEmpty(keyVaultEndpoint))
{
    var keyVaultClient = new KeyVaultClient(async (a, r, s) => 
    {
        var uri = "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net";
        var request = WebRequest.Create(uri);
        request.Headers.Add("Metadata", "true");
        var response = await request.GetResponseAsync();
        var accessToken = ParseWebResponse(response, "access_token");
        return accessToken;
     });

     builder.AddAzureKeyVault(keyVaultEndpoint, keyVaultClient, new DefaultKeyVaultSecretManager());
}

private static string ParseWebResponse(WebResponse response, string tokenName)
{
    string token = string.Empty;
    using (var stream = response.GetResponseStream())
    {
        var reader = new StreamReader(stream, Encoding.UTF8);
        var responseString = reader.ReadToEnd();
        var joResponse = JObject.Parse(responseString);
        var ojObject = (JValue)joResponse[tokenName];
        token = ojObject.Value.ToString();
    }
    return token;
}

[kurtzeborn]

Thank you for opening this issue! We are routing it to the appropriate team for follow up.

[nonik0]

@sirlukecoop Is that the full error you were seeing from the AzureServiceTokenProvider? There should also be a message after the connection string.

To briefly explain the behavior you were seeing, at AzureServiceTokenProvider in the AppAuth library (MsiAccessTokenProvider specifically) is trying to determine whether it is running in an MSI-enabled environment. It needs to do this for both App Service environments, by checking for the MSI_ENDPOINT and MSI_SECRET environment variables, and Azure VM environments (with a quick timeout "probe" request to the IMDS endpoint). If it determines it is in neither of these environments, then AppAuth will fall back to the next authentication method (this is its core design).

So back to your issue, could you please double-check you are not getting any more error info from AzureServiceTokenProvider?

[ghost]

Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!