question

JeanieHuynh-3291 avatar image
0 Votes"
JeanieHuynh-3291 asked prmanhas-MSFT commented

How do I access KeyVault from a .NET console app Azure Batch job?

I have a .NET console app job that needs to read a secret from KeyVault. The .NET console app is uploaded to run on an Azure Batch job. I am using the Microsoft.Azure.Services.AppAuthentication package and here is the snippet of code trying to access the KeyVault:

 var azureServiceTokenProvider = new AzureServiceTokenProvider("RunAs=App;AppId={my managed identity's client ID}");
 KeyVaultClient keyVaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
 var secret = await keyVaultClient.GetSecretAsync(cacheKey);

I keep getting this error though when the job is run from Azure Batch:
INNER EXCEPTION: MESSAGE: Parameters: Connection String: RunAs=App;AppId={client id}, Resource: https://vault.azure.net, Authority: https://login.windows.net/{redacted}. Exception Message: Tried to get token using Managed Service Identity. Access token could not be acquired. Received a non-retryable error. MSI ResponseCode: BadRequest, Response: {"error":"invalid_request","error_description":"Identity not found"}


azure-key-vaultazure-batchazure-managed-identity
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @prmanhas-MSFT! Yes, I've followed those documentations. I've made sure the user-assigned identity has proper access policies in the Key Vault, the identity is assigned to the Batch Pool, and that I've included a connection string in the AzureServiceTokenProvider call (because it's user-assigned).

Thanks!

0 Votes 0 ·

@JeanieHuynh-3291 Just following up to check if you got a chance to go through my previous response?

Do let me know in case of any queries.

Thanks

0 Votes 0 ·

0 Answers