[QUERY] How to use Azure authentication against a keyvault, and get the token. #38388
Assignees
Labels
Azure.Identity
Client
This issue points to a problem in the data-plane of the library.
customer-reported
Issues that are reported by GitHub users external to the Azure organization.
needs-team-attention
Workflow: This issue needs attention from Azure service team or SDK team
question
The issue doesn't require a change to the product in order to be resolved. Most issues start as that
Comments
github-actions
bot
added
Azure.Identity
Client
github-project-automation
bot
moved this to Untriaged
in Azure Identity SDK Improvements
jsquire
added
needs-team-attention
|
Thank you for your feedback. Tagging and routing to the team member best able to assist. |
|
Hi @nschuessler Regarding question 1 - I'm not sure why you'd be getting the exception. Could you provide the actual exception and stack trace? Regarding question 2 - If you are using a client Id and client secret, it sounds like you need the ClientSecretCredential. Managed identities do not utilize a client Id unless it is to specify which user assigned identity to select. I'm not aware of a scenario in which system assigned nor user assigned managed identities utilize a client secret. Regarding question 3 - the functionality would be nearly the same if you are planning to just migrate your existing code, although the newer libraries are in active development and adhere to our latest design guidelines. Here is an overview of what is new about these latest version of Azure SDKs |
christothes
added
the
needs-author-feedback
github-actions
bot
removed
the
needs-team-attention
|
Hi @nschuessler. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
|
Thanks for the answers. For issue 2: which is wrapped in a Visual Studio So my code to use // Code inside InitializeSecretsAsync
SecretClient secretClient = new SecretClient(new Uri(vaultBaseUrl), new DefaultAzureCredential());
global::Azure.Response<KeyVaultSecret> secret = null;I thought at first, since the code that uses The other possible problem is that visual studio Snapshot Debugger uses KeyVault.Secrets version 4.4 not the latest 4.5, so there may be a conflict with multiple versions loaded, but backing down the version in my extension to 4.4 also does not fix the problem. Possibly using Fuselog viewer may help but otherwise I'm out of ideas on what to try. Here is the call stack: |
github-actions
bot
added
needs-team-attention
|
Update: So I think I understand the nature of the problem. But the in proc portion is not fixed by this. Even with explicit inclusion in the manifest. I'll keep fiddling with it. |
@nschuessler you likely need to update to the latest |
christothes
added
the
needs-author-feedback
|
Hi @nschuessler. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue. |
github-actions
bot
removed
the
needs-team-attention
|
Hi @nschuessler, we're sending this friendly reminder because we haven't heard back from you in 7 days. We need more information about this issue to help address it. Please be sure to give us your input. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you! |
github-actions
bot
added
the
no-recent-activity
|
So the issues I was having are basically related to how Visual Studio IDE imports / consumes The only solution is to wait for the IDE to ship with a newer version of Azure.Identity / Azure SDK so extensions can use it. The problem was that it was a few versions old. If you can do anything to keep the IDE version of Azure SDK as up to date as possible it would be helpful, otherwise if that is not something Azure SDK team does, then there is no investigation here and you can close the issue. |
github-actions
bot
added
needs-team-attention
|
@nschuessler thanks for the update. We'll work with our partners to try to keep those bits updated, but it will also depend on which release channel you're on for Visual Studio. The "Release" channel won't be updated nearly as often. In that case, I'd recommend taking as old of a dependency as you can (and baring any security issues that may have been fixed) to avoid this with your extension. @christothes @schaabs I recommend we keep this open as a tracking issue at least until we can find the appropriate owners and get an internal issue filed. |
|
VS is at the latest version of Azure.Identity now |
github-project-automation
bot
moved this from In Progress
to Done
in Azure Identity SDK Improvements
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Library name and version
Azure.Identity 1.10, Azure.Security.KeyVault.Secrets 4.5
Query/Question
I have a Visual Studio extension that uses the current IDE user's credentials to access a key vault to retrieve
a client id and client secret for a managed identity. The managed identity (client) is configured for RBAC (role based access control) to azure services and resources.
Because both
Microsoft.Azure.KeyVaultandMicrosoft.Azure.Service.AppAuthenticationare no longer actively supported, they will trigger security alerts and cause an interruption of our feature development.1 Getting the secret from the vault:
This seems to be the code to access a key vault based on the identity of the user using the Visual Studio IDE.
The problem is that in the latest version of Visual Studio17.7.2, I get
MissingMethodExceptionfor theSecretClientconstructor.It seems Visual Studio is using 4.4 of the secrets library, but downgrading to 4.4 for my extension doesn't seem to help. Debugging extension loading issues in Visual Studio is quite troublesome.
2 Authenticating as a managed identity:
Given I have the client id and client secret, how do I access other resources as that managed identity?
This code used to work:
It seems I need to use
ManagedIdentityCredentiallike this:Except, where does the client secret go now? I don't see a property for it.
How do you get the access token (for use in REST apis)?
3 As a bonus question, what will my app benefit from by all this work to get the same functionality by redesigning the auth around the new library? I had design it to keep track of (host uri, token) pairs and hand them out based on REST client request URIs.
Thanks
Environment
IDE is version 17.7.2.
I'm on windows 11.
Roslyn 4.6/4.7 is in the mix.
Runtime version for the VSIX is 4.7.2/4.8.
Libraries written in .Net Standard 2.0.
PS C:\Repos\cpr3\src\DevTools\CodeFlowService> dotnet --info
.NET SDK:
Version: 7.0.400
Commit: 73bf45718d
Runtime Environment:
OS Name: Windows
OS Version: 10.0.22621 <== This is actually windows 11 I'm running on ...
OS Platform: Windows
RID: win10-x64
Base Path: C:\Program Files\dotnet\sdk\7.0.400\
Host:
Version: 7.0.10
Architecture: x64
Commit: a6dbb800a4
.NET SDKs installed:
6.0.316 [C:\Program Files\dotnet\sdk]
7.0.400 [C:\Program Files\dotnet\sdk]
.NET runtimes installed:
Microsoft.AspNetCore.App 6.0.21 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.AspNetCore.App 7.0.10 [C:\Program Files\dotnet\shared\Microsoft.AspNetCore.App]
Microsoft.NETCore.App 6.0.21 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.NETCore.App 7.0.10 [C:\Program Files\dotnet\shared\Microsoft.NETCore.App]
Microsoft.WindowsDesktop.App 6.0.21 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Microsoft.WindowsDesktop.App 7.0.10 [C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App]
Other architectures found:
x86 [C:\Program Files (x86)\dotnet]
registered at [HKLM\SOFTWARE\dotnet\Setup\InstalledVersions\x86\InstallLocation]
Environment variables:
Not set
global.json file:
Not found
Learn more:
https://aka.ms/dotnet/info
Download .NET:
The text was updated successfully, but these errors were encountered: