Tuesday, November 16, 2021

Reading KV secrets in application hosted in CS-ES.

As per the authentication best practices of  KV Azure Key Vault Developer's Guide | Microsoft Docs, It is recommended to use managed identity for applications deployed to Azure. If you use Azure services, which do not support managed identity or if applications are deployed on premise, service principal with a certificate is a possible alternative. In that scenario, certificate should be stored in Key Vault and frequently rotated. 

 

 Please be noted CS-ES doesn't support "Managed Service Identity" for now.

 

In cloud Service classic we had similar limitation so in absence of managed service identities, we used follow below:

 

  • Certificate Credentials for application authentication to help establish application identity and get access to key vault for reading keys, secrets etc.
  • We first need to create a Service Principal in AD and an App registration.
  • Using a certificate we assign to both this Service Principal and our Cloud Service, we can authenticate with KeyVault.

 

Similarly, in the absence of managed service identities (MSI) for CS-ES, you can use Certificate Credentials for application authentication to help establish application identity and get access to key vault for reading keys, secrets etc.

 

Here is the reference documentation you can follow to authenticate SecretClient via Certificate.

 

Below is the sample app code for reading secrets from KV.

 

            var store = new X509Store(StoreName.My, StoreLocation.LocalMachine);

            store.Open(OpenFlags.ReadOnly);

            X509Certificate2 cert = store.Certificates.OfType<X509Certificate2>().FirstOrDefault(x => x.Thumbprint == certificateThumbprint);

            store.Close();

 

            // tenantID and clientID  can be fetched from App registration.

            var credential = new ClientCertificateCredential(tenantID, clientID, cert);

            var client = new SecretClient(new Uri(keyVaultUrl), credential);

 

You can also refer Key Vault documentation for more details on authenticating via service principal and certificate: Authenticate to Azure Key Vault | Microsoft Docs.

 

For using certificates in CS-ES please refer to Store and use certificates in Azure Cloud Services (extended support) | Microsoft Docs

 

Note: Unlike Azure App Service (where you can directly use MSI to get secrets) with CS-ES you will have to follow the above workaround of Certificates and App Registration.

Posted at https://sl.advdat.com/30yUjT4