Posted on Leave a comment

Azure Keyvault Managed Identity C#

In the below .NET 6 example you can find how to get secrets from a keyvault using Managed Identity in order to secure communication between resources.

There are two packages required for this accomplishment.

https://www.nuget.org/packages/Azure.Identity

https://www.nuget.org/packages/Azure.Security.KeyVault.Secrets

Code:

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;

const string managedIdentityIdentifier = "Id";
const string secretName = "secretName";
const string keyVaultUrl = "Url";

var client = new SecretClient(vaultUri: new Uri(keyVaultUrl), credential: new ManagedIdentityCredential(managedIdentityIdentifier));
var secret = client.GetSecret(secretName);

Console.WriteLine("retrieving secret value using managed identity: " + secret.Value.Value);
Posted on Leave a comment

Connect Azure Web app container to Keyvault using Managed identity

Following the article on which I described how you can connect to Azure resources through Managed Identity, I will showcase how one can connect through a container running on an App Service (web app) to a keyvault in order to gather secrets from it.

The main two components that are required for this demo will be an app service and a keyvault.

First things first we will need some secrets in order to gather through the hosted application. The dbpassword that is shown below will be retrieved and used from the web app running on the container.

As examined in the article mentioned above, we should construct the appropriate URL in order to retrieve the access_token.

$kati = Invoke-WebRequest -Uri $env:MSI_ENDPOINT"?resource=https://vault.azure.net&api-version=2017-09-01" -Headers @{Secret=$env:MSI_SECRET} -UseBasicParsing | ConvertFrom-Json

Store the access_token on a separate variable (as it sometimes is not parsed correctly from powershell)

and perform an API call on your keyvault using as Authorization the token that we retrieved earlier.

Invoke-WebRequest -Uri "https://spfykey.vault.azure.net/secrets/dbpassword/4f371b23cf244717a585e12af9846dec?api-version=7.3" -Headers @{Authorization = "Bearer $metavliti"} -UseBasicParsing

As a result we sucessfully retrieved the password for the secret which is 123456 by performing a rest api call through the web app using the Managed Identity of the app service.

References:

https://learn.microsoft.com/en-us/rest/api/keyvault/keyvault/vaults