{"id":6759,"date":"2020-01-07T00:55:17","date_gmt":"2020-01-07T00:55:17","guid":{"rendered":"http:\/\/blogs.aaddevsup.xyz\/?p=6759"},"modified":"2020-07-02T17:49:35","modified_gmt":"2020-07-02T17:49:35","slug":"exploring-azureservicetokenprovider-class-with-azure-key-vault","status":"publish","type":"post","link":"https:\/\/blogs.aaddevsup.xyz\/2020\/01\/exploring-azureservicetokenprovider-class-with-azure-key-vault\/","title":{"rendered":"Exploring AzureServiceTokenProvider class with Azure Key Vault and Azure SQL"},"content":{"rendered":"\n

The AzureServiceTokenProvider<\/a> class from the Nuget package Microsoft.Azure.Services.AppAuthentication<\/a> can be used to obtain an access token.  When running in Azure it can also utilize managed identities<\/a> to request an access token.  In this post I\u2019ll focus on using this class to get an access token for Azure Key Vault<\/a>.  Keep in mind that you can also use this class to obtain an access token for any Azure resources integrated with Azure Active Directory.  Below are some code sample showing a couple of ways to use this class to get an access token and call Azure Key Vault:<\/p>\n\n\n\n

Note<\/strong>: Before trying out the following, you should make sure the signed-in principal (application or user) has access to Azure Key Vault.  See my previous<\/a> blog post for more info on this and the Azure Key Vault documentation.  For example, I have configured my Azure Key Vault to allow access to the following 2 users and 2 Applications in the Azure Key Vault\u2019s Access Policies blade:<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n
using Microsoft.Azure.Services.AppAuthentication;\nusing Microsoft.Azure.KeyVault;\n\/\/ ...\nvar azureServiceTokenProvider = new AzureServiceTokenProvider();\nvar kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));\nvar secret = await kv.GetSecretAsync(\"https:\/\/blogkv123.vault.azure.net\", \"SQLPassword\").ConfigureAwait(false);\n<\/pre>\n\n\n
or<\/p>\n\n\n\n
using Microsoft.Azure.Services.AppAuthentication;\nusing Microsoft.Azure.KeyVault;\n\/\/ ...\nvar azureServiceTokenProvider = new AzureServiceTokenProvider();\nstring accessToken = await azureServiceTokenProvider.GetAccessTokenAsync(\"https:\/\/vault.azure.net\");\nusing (var client = new HttpClient())\n{\n    var url = \" https:\/\/blogkv123.vault.azure.net\/secrets\/SQLPassword\";\n    client.DefaultRequestHeaders.Add(\"Authorization\", \"Bearer \" + accessToken);\n    var response = await client.GetAsync(url);\n    \/\/ Parse JSON response.\n    ....\n}\n<\/pre>\n\n\n\n
In the above code sample, we are using the default constructor of the AzureServiceTokenProvider class by instantiating an instance of this class without providing a connection string (which usually contains tenant and application ID info).  Later on, we will talk about how use a connection string with this class.  The default constructor tries to get an access token from the following methods:<\/p>\n\n\n\n
  1. Managed Identities using client credentials\ngrant flow \u2013 this option only works if the code is run in Azure environment,\nfor example Azure Virtual Machine , Azure App Service, etc\u2026<\/li><\/ol>\n\n\n\n
    Note<\/strong>:  this option requires that the Azure resource has support for Managed Identities and Managed identity is enabled.  For a list of Azure resources that support managed identities see https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/managed-identities-azure-resources\/services-support-managed-identities<\/a><\/p>\n\n\n\n
    1. Visual Studio<\/li>
    2. Azure CLI or Active Directory Integrated Authentication<\/li><\/ol>\n\n\n\n
      If all 3 methods fail, you can get an Exception like the\nfollowing:<\/p>\n\n\n\n
      Exception thrown: ‘Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProviderException’ in System.Private.CoreLib.dll<\/em><\/p>\n\n\n\n
      Parameters: Connection String: [No connection string specified], Resource: https:\/\/vault.azure.net, Authority: https:\/\/login.windows.net\/<tenant ID>. Exception Message: Tried the following 3 methods to get an access token, but none of them worked.<\/em><\/p>\n\n\n\n
      Parameters: Connection String: [No connection string specified], Resource: https:\/\/vault.azure.net, Authority: https:\/\/login.windows.net\/<tenant ID>. Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an Azure resource that has MSI setup.<\/em><\/p>\n\n\n\n
      Parameters: Connection String: [No connection string specified], Resource: https:\/\/vault.azure.net, Authority: https:\/\/login.windows.net\/<tenant ID>. Exception Message: Tried to get token using Visual Studio. Access token could not be acquired. <\/em><\/p>\n\n\n\n
      Parameters: Connection\nString: [No connection string specified], Resource: https:\/\/vault.azure.net,\nAuthority: https:\/\/login.windows.net\/<tenant ID>.\nException Message: Tried to get token using Azure CLI. Access token could not\nbe acquired. ERROR: No subscription found. Run ‘az account set’ to select a\nsubscription.<\/em><\/p>\n\n\n\n
      For option 1, either System MSI or User-Assigned MSI can be used.  Refer to the appropriate Azure Resource documentation for how to do this.  As mentioned above, remember to give MSI access to Azure Key Vault.<\/p>\n\n\n\n
      Below are a couple of screen shots showing how I configured my Azure VM MSI using either System MSI or User-Assigned MSI (see more info about User MSI Connection String later on in this blog):<\/p>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      A good way to test if MSI\nis enabled for the Azure VM is by running the following command from the\nPowershell window in the VM:<\/p>\n\n\n\n
      Invoke-WebRequest -Uri ‘http:\/\/169.254.169.254\/metadata\/identity\/oauth2\/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net’ -Headers @{Metadata=”true”}<\/strong><\/p>\n\n\n\n
      \"\"<\/figure><\/div>\n\n\n\n
      For Azure App Service, the MSI setting is similar in the Azure App Service\u2019s Identity blade:<\/p>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      To test for MSI in Azure App Service you can create a file called \u2018test.ps1\u2019 with the following Powershell code and run the file from the Azure Web App\u2019s kudu<\/a> console:<\/p>\n\n\n
      $resourceURI = \"https:\/\/vault.azure.net\"\n$tokenAuthURI = $env:MSI_ENDPOINT + \"?resource=$resourceURI&api-version=2017-09-01\"\n$tokenResponse = Invoke-RestMethod -Method Get -Headers @{\"Secret\"=\"$env:MSI_SECRET\"} -Uri $tokenAuthURI\n$accessToken = $tokenResponse.access_token\nEcho $accessToken\n<\/pre>\n\n\n
      And you should see output like the following:<\/p>\n\n\n\n
      \"\"<\/figure>\n\n\n\n
      For option 2, refer to the\ndocumentation at https:\/\/docs.microsoft.com\/en-us\/azure\/key-vault\/service-to-service-authentication<\/a> for instruction under \u201cAuthentication with Visual\nStudio\u201d section,<\/p>\n\n\n\n
      For option 3, make sure you\nhave Azure CLI v2.0.12 or later installed (to find out what version you have\ninstalled run az \u2013version<\/strong> command)<\/p>\n\n\n\n
      You will need to sign in\nfrom the az cli window first before running your application code.  You can either sign in by a user account or\nby an application (service principal) account<\/p>\n\n\n\n
      Sign in with a user\naccount:<\/strong><\/p>\n\n\n\n
      1. Run az login<\/strong> to sign in<\/li>
      2. Run az\naccount get-access-token \u2013resource https:\/\/vault.azure.net<\/strong> to verify you can get an access token for Azure Key\nVault<\/li><\/ol>\n\n\n\n
        Sign in with an Application\n(or Service Principal):<\/strong><\/p>\n\n\n\n
        az login\n–service-principal -u <app id> –password <app secret> –tenant\n<tenant-id> –allow-no-subscriptions<\/strong><\/p>\n\n\n\n
        Using AzureServiceTokenProvider with your own Application…<\/h3>\n\n\n\n
        So far, we have only discussed calling AzureServiceTokenProvider class with no argument (the default constructor).  When deploying the code to run in Azure service, it mainly relies on using Managed Identity (MSI) configured for <\/a>that service to get an access token.  Both the Azure CLI and Visual Studio method are intended only for local development effort so they are not suitable for production environment.  The problem with using MSI is that the Azure resource must support MSI and not every resource has this capability.  <\/p>\n\n\n\n
        Besides using Managed Identities, you can also configure your own Application Registration and use that application for the AzureServiceTokenProvider class to acquire an access token.  This can be accomplished using a Connection String to specify our tenant and application info detail.  See code example below for how to do this:<\/p>\n\n\n\n
        var azureServiceTokenProvider1 = new AzureServiceTokenProvider(“RunAs=App;AppId=<Application ID>;TenantId=<Tenant Name>.onmicrosoft.com;AppKey=<App Secret>\u201d);<\/strong><\/p>\n\n\n\n
        Note<\/strong>: For User-Assigned Managed Identity, use the connection string as followed:<\/p>\n\n\n\n
        var azureServiceTokenProvider1 = new\nAzureServiceTokenProvider(“RunAs=App;AppId=<User-Assigned MSI Application ID>\u201d);<\/b><\/p>\n\n\n\n
        Set up the Connection String via an environment variable:<\/strong><\/h3>\n\n\n\n
        Instead of passing in the connection string in the AzureServiceTokenProvider class, you can create an environment variable (via Visual Studio Project Properties) called AzureServicesAuthConnectionString<\/strong> and set the connection string as its value:<\/p>\n\n\n\n
        \"\"<\/figure>\n\n\n\n
        Once this environment\nvariable is set, you can call the AzureServiceTokenProvider with its default\nconstructor:<\/p>\n\n\n\n
        var azureServiceTokenProvider = new AzureServiceTokenProvider();<\/strong><\/p>\n\n\n\n
        For debugging purpose, I\nuse the following code in my controller to get more info about the token or Exception\nInfo:<\/p>\n\n\n
        public async System.Threading.Tasks.Task<ActionResult> Privacy()\n        {\n            \/\/ Instantiate a new KeyVaultClient object, with an access token to Key Vault\n            var azureServiceTokenProvider1 = new AzureServiceTokenProvider();\n             var azureServiceTokenProvider2 = new AzureServiceTokenProvider(\"RunAs=App;AppId=<Application ID>\");\n            \/\/ var azureServiceTokenProvider2 = new AzureServiceTokenProvider();\n            \/\/ string accessToken = await azureServiceTokenProvider2.GetAccessTokenAsync(\"https:\/\/management.azure.com\/\").ConfigureAwait(false);\n            \/\/ var azureServiceTokenProvider1 = new AzureServiceTokenProvider(\"RunAs=App;AppId=<Application ID>;TenantId=<Tenant Name>.onmicrosoft.com;AppKey=<Application Secret>\");\n            try\n            {\n                var kv = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider1.KeyVaultTokenCallback));\n                var secret = await kv.GetSecretAsync(\"https:\/\/blogkv123.vault.azure.net\", \"SQLPassword\").ConfigureAwait(false);\n                ViewBag.Secret = $\"Secret: {secret.Value}\";\n            }\n            catch (Exception ex)\n            {\n                ViewBag.Error = $\"Something went wrong: {ex.Message}\";\n                Debug.WriteLine(ex.Message);\n            }\n            ViewBag.Principal = azureServiceTokenProvider1.PrincipalUsed != null ? $\"Principal Used: {azureServiceTokenProvider1.PrincipalUsed}\" : string.Empty;\n\n            try\n            {\n                string accessToken = await azureServiceTokenProvider2.GetAccessTokenAsync(\"https:\/\/vault.azure.net\").ConfigureAwait(false);\n                ViewBag.AccessToken = $\"Access Token: {accessToken}\";\n            }\n            catch (Exception e)\n            {\n                Debug.WriteLine(e.Message);\n            }\n            \/\/ Debug.WriteLine(ToString());\n            return View();\n        }\n<\/pre>\n\n\n
        And here is the code for the View Page:<\/p>\n\n\n
        @{\n    ViewData[\"Title\"] = \"Privacy Policy\";\n}\n<h1>@ViewData[\"Title\"]<\/h1>\n\n<div>\n\n    <div>@ViewBag.AccessToken<\/div>\n\n    <div>@ViewBag.Secret<\/div>\n\n    <div>@ViewBag.Principal<\/div>\n\n    <div>@ViewBag.Error<\/div>\n\n\n\n<\/div>\n\n<p>Use this page to detail your site's privacy policy.<\/p>\n<\/pre>\n\n\n
        Beware of Token Lifetime<\/h3>\n\n\n\n
        Usually Managed Identities (System or User-Assigned) access token is valid up to 8 hours<\/a>.  Make sure your application code checks for token validity and renewing the token as needed to avoid unpredictable behavior.  A typical problem that can occur is intermittent Database connectivity issue, for instance the one documented here<\/a>.  An Azure App Service using Managed Identity access token to connect to an Azure SQL Database with the following Entity Framework code:<\/p>\n\n\n\n
        public class MyDbContext : DbContext\n    {\n        public MyDbContext(DbContextOptions options) : base(options)\n        {\n            var conn =  (SqlConnection) this.Database.GetDbConnection();\n            conn.AccessToken = (new AzureServiceTokenProvider()).GetAccessTokenAsync(\"https:\/\/database.windows.net\/\").Result;\n        }\n        public DbSet<Item> Items { get; set; }\n    }\n\n\/\/Startup.cs\nservices.AddDbContext<ToDoDbContext>(options =>\n{\n    var connStr = Configuration[\"ConnectionString\"];\n    options.UseSqlServer(connStr);\n});<\/pre>\n\n\n\n
        The code works fine initially but after some time it starts throwing the following exception:<\/p>\n\n\n\n
        System.Data.SqlClient.SqlException (0x80131904): Login failed for user 'NT AUTHORITY\\ANONYMOUS LOGON'.\n\u00a0\u00a0 at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString userConnectionOptions, SessionData reconnectSessionData, Boolean applyTransientFaultHandling, String accessToken)\n\u00a0\u00a0 at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)\n\u00a0\u00a0 at System.Data.ProviderBase.DbConnectionFactory.CreatePooledConnection(DbConnectionPool pool, DbConnection owningObject, DbConnectionOptions options, DbConnectionPoolKey poolKey, DbConnectionOptions userOptions)\n\u00a0\u00a0 at System.Data.ProviderBase.DbConnectionPool.CreateObject(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection)\n\u00a0\u00a0 at System.Data.ProviderBase.DbConnectionPool.UserCreateRequest(DbConnection owningObject, DbConnectionOptions userOptions, DbConnectionInternal oldConnection)\n\u00a0\u00a0 at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, UInt32 waitForMultipleObjectsTimeout, Boolean allowCreate, Boolean onlyOneCheckConnection, DbConnectionOptions userOptions, DbConnectionInternal& connection)\n\u00a0\u00a0 at System.Data.ProviderBase.DbConnectionPool.TryGetConnection(DbConnection owningObject, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal& connection)\n\u00a0\u00a0 at System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection)\n\u00a0\u00a0 at System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)\n\u00a0\u00a0 at System.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)\n\u00a0\u00a0 at System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry)\n\u00a0\u00a0 at System.Data.SqlClient.SqlConnection.Open()\n\u00a0\u00a0 at Microsoft.EntityFrameworkCore.Storage.RelationalConnection.OpenDbConnection(Boolean errorsExpected)\nClientConnectionId:a3a93762-2a94-473b-ba4b-9c3da55d669f\nError Number:18456,State:1,Class:14<\/code><\/pre>\n\n\n\n
        The root cause of the above error is due to expired token being used.  The Application code above only retrieves the access token once during DB Context initialization and keeps using the same token beyond its lifetime.  Check out the github issue above (https:\/\/github.com\/dotnet\/efcore\/issues\/19808<\/a>) for ideas on how to work around this issue.<\/p>\n\n\n\n
        References:<\/h3>\n\n\n\n
        https:\/\/stackoverflow.com\/questions\/14627399\/setting-authorization-header-of-httpclient<\/a><\/p>\n\n\n\n
        https:\/\/www.rahulpnath.com\/blog\/authenticating-with-azure-key-vault-using-managed-service-identity\/<\/a><\/p>\n\n\n\n
        https:\/\/docs.microsoft.com\/en-us\/samples\/azure-samples\/app-service-msi-keyvault-dotnet\/keyvault-msi-appservice-sample\/<\/a><\/p>\n\n\n\n
        https:\/\/docs.microsoft.com\/en-us\/samples\/azure-samples\/app-service-msi-keyvault-dotnet\/keyvault-msi-appservice-sample\/<\/a><\/p>\n\n\n\n
        https:\/\/docs.microsoft.com\/en-us\/azure\/app-service\/overview-managed-identity?context=azure%2Factive-directory%2Fmanaged-identities-azure-resources%2Fcontext%2Fmsi-context&tabs=powershell<\/a><\/p>\n\n\n\n
        https:\/\/docs.microsoft.com\/en-us\/azure\/key-vault\/service-to-service-authentication<\/a><\/p>\n\n\n\n
        \n\n\n\n
        Update 4\/25\/2020<\/span><\/strong> – Added information about token life time and SQL Connection error<\/p>\n","protected":false},"excerpt":{"rendered":"
        The AzureServiceTokenProvider class from the Nuget package Microsoft.Azure.Services.AppAuthentication can be used to obtain an access token.  When running in Azure it can also utilize managed identities to request an access token.  In this post I\u2019ll focus on using this class to get an access token for Azure Key Vault.  Keep in mind that you can also use this class to obtain an access token for any Azure resources integrated with…<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3,5,9,12],"tags":[140],"class_list":["post-6759","post","type-post","status-publish","format-standard","hentry","category-authentication","category-azure-ad","category-key-vault","category-msi","tag-keyvault"],"_links":{"self":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/6759"}],"collection":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/comments?post=6759"}],"version-history":[{"count":123,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/6759\/revisions"}],"predecessor-version":[{"id":7376,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/posts\/6759\/revisions\/7376"}],"wp:attachment":[{"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/media?parent=6759"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/categories?post=6759"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.aaddevsup.xyz\/wp-json\/wp\/v2\/tags?post=6759"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}