Cloud Service Extended Support Key vault access keys and secrets

Steven Brown 6 Reputation points
2021-09-10T17:08:09.383+00:00

I am in the process of migrating Cloud Service Classic to Cloud Service Extended Support which I also want to get working with Key Vault.

The application has been successfully migrated and without any KV changes to code/webconfig it publishes fine.

Once KV is added I can gain access to the certificate no problem during deployment following the guidance below.

deploy-prerequisite

> You also need to enable Key Vault 'Access policies' (in portal) for 'Azure Virtual Machines for deployment' so that Cloud Services (extended support) resource can retrieve certificate stored as secrets from Key Vault

This works fine, I can pick up the cert from the key vault.

When debugging locally I can access the keys/secrets contained within the KV as its authenticating against my account. The code works fine locally so I assume there are no problems here.

When I publish to the Cloud Service Extended Support I get the following error.

DefaultAzureCredential failed to retrieve a token from the included credentials.

  • EnvironmentCredential authentication unavailable. Environment variables are not fully configured.
  • ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource.
    Status: 400 (Bad Request)
    Content:
    {"error":"invalid_request","error_description":"Identity not found"}

Self explanatory really.

I assume using KV to gain access to certificates, keys and secrets needs to use a service principal account which in turn needs access to the KV via an access policy.

I assume the setting above does not give access to anything inside the VM once built and only gives permission to install the certificate on deployment?

The documentation isn't very clear.

If anyone has done this before if you could share any documentation, I assume accessing the KV through code as you would a standard VM. There is no Azure functionality which configures the identity via an Azure setting, i.e the one mentioned above.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,322 questions
Azure Cloud Services
Azure Cloud Services
An Azure platform as a service offer that is used to deploy web and cloud applications.
704 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Steven Brown 6 Reputation points
    2021-09-14T08:33:57.77+00:00

    please close this, I managed to get this resolved adding the correct environment variables.

    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.