Home>
security>
Connect to azure key vault from an ASP.NET core app using azure managed identity

Connect to azure key vault from an ASP.NET core app using azure managed identity

Published November 23, 2019 in ASP.NET core , Azure , Azure Active Directory , security

Of the three different ways to access an azure key vault from an ASP.NET core application, if your app runs on an azure resource, the best option is using azure managed identities for simplicity and the highest security. In this post, I go over how I configure the application and azure sides to leverage azure managed identities when accessing the key vault.

From the application side

The ASP.NET core application authenticates with Azure AD services to obtain an access token to access the key vault. With managed identities, we don’t have to provide the app’s credentials, only the URL to the key vault. For example, I have the following in the appsettings.json file for one of my applications that runs on an azure VM.

{
    "KeyVault": {
        "URL": "https://myvaultname.vault.usgovcloudapi.net/"
    }
}

The URL is all I need. From the document,

The app is deployed to Azure, and Azure authenticates the app to access Azure Key Vault only using the vault name stored in the appsettings.json file.
Use Managed identities for Azure resources

In the StartUp file, I use the Microsoft.Azure.Services.AppAuthentication library to handle the authentication.

// use Identity Management
                  var azureServiceTokenProvider = new AzureServiceTokenProvider();
                  var keyVaultClient = new KeyVaultClient(
                      new KeyVaultClient.AuthenticationCallback(
                          azureServiceTokenProvider.KeyVaultTokenCallback));
                  builder.AddAzureKeyVault(keyVaultOptions.URL, keyVaultClient, new DefaultKeyVaultSecretManager());

The AzureServiceTokenProvider constructor optionally accepts a connection string as a parameter. When no connection string is given, as shown in the above snippets, the library uses different methods such as managed identity to obtain an access token.

//
// Summary:
//     Creates an instance of the AzureServiceTokenProvider class. If no connection
//     string is specified, Managed Service Identity, Visual Studio, Azure CLI, and
//     Integrated Windows Authentication are tried to get a token. Even If no connection
//     string is specified in code, one can be specified in the AzureServicesAuthConnectionString
//     environment variable.
//
// Parameters:
//   connectionString:
//     Connection string to specify which option to use to get the token.
//
//   azureAdInstance:
//     Specify a value for clouds other than the Public Cloud.
public AzureServiceTokenProvider(string connectionString = null, string azureAdInstance = "https://login.microsoftonline.com/");

From azure

On Azure, I just need to do two simple steps to leverage azure managed identities:

Enable Identity for the resource (Azure VM or app service) on which the app runs.
Grant the resource (not the app) access to the key vault.

It’s straightforward to turn on Identity for the resource. In azure portal, just navigate to your resource configuration pages, go to Identity under Settings. You can use either System assigned identity or create your own (User assigned) and assign to the resource. Using a user assigned identity is out of the scope for this post. If you want to learn more, I have found this post to be helpful. For me, I use system assigned identity. I simply enable system assigned identity to the azure VM on which my app runs by just setting the Status to On.

Enable managed identity for an azure resource

In the key vault, I just need to grant access to the azure VM via Access policies. I can search for the azure VM using its identity. Depending on your need, you may grant different permissions. For just accessing secrets in the vault, I find it is necessary to grant both the List and Get permissions under Secret Permissions.