I am trying to use Managed Identity for both Azure Key Vault and Azure App Config.
The following code works when I deploy to my Azure App Service - but when I run locally the SecretClient code succeeds and the AppConfig code fails.
For my KeyVault I've tried using Vault access policy and RBAC - and both work. I added myself and the App Service as Key Vault Secrets User role.
For my AppConfig I have added myself to RBAC as App Configuration Data Owner, and my App Service as App Configuration Data Reader. Note the App Service can successfully configure and read this, but when I run it locally I get various errors, depending on what I try:
When calling AddAzureAppConfiguration I get the following exception:
Process "C:\Program Files\Microsoft Visual Studio\2022\Professional\Common7\IDE\Extensions\lybeojxv.4oe\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, TS004: Unable to get access token. 'AADSTS50020: User account '{EmailHidden}' from identity provider 'live.com' does not exist in tenant 'Microsoft Services' and cannot access the application '{GuidHidden}'(Visual Studio) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
My account in Azure AD was added as an external user to the tenant, my_email_com#EXT#@mycompany.onmicrosoft.com, although the Azure AD model of guests and members is extremely confusing.
I tried signing out and in again, to no avail. I don't know why it says my user needs to be added as an external user to the tenant, when it already seems to be. Anyone have any suggestions?
The entirety of my code is as follows:
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
var builder = WebApplication.CreateBuilder();
// Azure KeyVault - succeeds locally and for Azure AppService
var keyVaultUri = "https://{MYVAULT}.vault.azure.net/";
var client = new SecretClient(new Uri(keyVaultUri), new DefaultAzureCredential());
var testSecret = client.GetSecret("secretTest").Value.Value;
// Azure AppConfig
var appConfigUri = "https://{MYCONFIG}.azconfig.io/";
// The following code fails when run locally:
builder.Configuration.AddAzureAppConfiguration(options =>
options.Connect(new Uri(appConfigUri), new DefaultAzureCredential()));
var app = builder.Build();
var testConfig = app.Configuration["testConfig"];
app.MapGet("/", () => $"secret: {testSecret}, appConfig: {testConfig}");
app.Run();
I tried again today but got a slightly different error:
So I opened powershell and ran the command:
It launched the browser, and I was already logged in. Then when I tried again locally, it worked!
Very strange that the SecretClient didn't need the powershell az login but the AppConfig did...
And I'm also not sure what changed since yesterday to give me the different type of error. Azure is a fickle beast at times.