Azure: How to fix "The policy requires the caller '...' to use on-behalf-of (OBO) flow" when accessing Key Vault from App Service?

Question

I have an ASP.net Core 3.1 application running in an Azure App Service. Having started using Azure Key Vault to store connection strings and other secrets for the app, the app is now crashing with an "HTTP Error 500.30 ANCM In-Process Start Failure" error page.

I've searched the Azure Portal up and down and finally managed to find something meaningful in the App Service's list of .NET Core Startup Failures (hidden under App Service > Diagnose and Solve Problems > Web App Down > View .NET Startup Failures):

Microsoft.Azure.KeyVault.Models.KeyVaultErrorException: The policy requires the caller 
'appid=<redacted>;oid=<redacted>;iss=https://sts.windows.net/<readacted>/' to use on-behalf-of (OBO) 
flow. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287

I have no need for the on-behalf-of flow. I did originally define the Key Vault access policy to include both the app's oid and its appid by mistake. I have since remedied by removing the access policy and recreating it without the appid.

My question is - Why am I still getting this error and how can I fix it?

Update: Below is the code that seems to be triggering this. Having disabled it, the app goes back to normal (albeit without Key Vault integration).

    var builtConfig = config.Build();
    var vaultUrl = $"https://{builtConfig["KeyVaultName"]}.vault.azure.net/";
    var azureServiceTokenProvider = new AzureServiceTokenProvider();
    var keyVaultClient = new KeyVaultClient(
        new KeyVaultClient.AuthenticationCallback(
            azureServiceTokenProvider.KeyVaultTokenCallback));
    config.AddAzureKeyVault(
        vaultUrl,
        keyVaultClient,
            new DefaultKeyVaultSecretManager());

Answer 1

When you add access policy, it could only select service principal with object id.

As you descripted, you remove appid and ensure that you have click save button to save your operation.

You can grant data plane access by setting Key Vault access policies for a key vault. To set these access policies, a user, group, or application must have Contributor permissions for the management plane for that key vault.

For more details, you could refer to this article.

Answer 2

My two cents.

I am using terraform to deploy Azure Key Vault and add Access Policies to it.

You can see the tf config file here and all of the config files in this folder

The access policy looks like the following.

access_policy {
  tenant_id      = data.azurerm_client_config.current.tenant_id
  application_id = azuread_application.app.application_id
  object_id      = azuread_service_principal.app_sp.object_id

 ...

}

I am running a dotnet 6 program to access the key and I get the following error.

Unhandled exception. Azure.RequestFailedException: The policy requires the caller 'appid=d85236a6-410f-4ca6-a380-31205aaa6197;oid=3e287ec3-4afe-4538-a931-c4e3b648b32b;iss=https://sts.windows.net/46b02288-c094-50c5-3cb3-1168c454d83g/' to use on-behalf-of (OBO) flow. For more information on OBO, please see https://go.microsoft.com/fwlink/?linkid=2152310

Now for the fix, I removed the application_id assignment.

Keeping the application_id assignment is making it a compound identity/Application-plus-user application.

So the final access policy configuration looks like this.

access_policy {
  tenant_id      = data.azurerm_client_config.current.tenant_id
  # application_id = azuread_application.app.application_id
  object_id      = azuread_service_principal.app_sp.object_id

 ...

}