DEV Community

Cover image for Connect to an Azure key vault from a program on any laptop using user identity
Antoine
Antoine

Posted on • Edited on

Connect to an Azure key vault from a program on any laptop using user identity

#azurekeyvault

Photo by Jude Beck on Unsplash

Connecting from a Managed Service Identity (MSI) to an Azure Key Vault is pretty well documented. But how can we achieve this from a program on a laptop using user account ?

Azure Active Directory Application

First we will require an application registered to the Azure Active Directory of your subscription, with the right user_impersonation.

Write down, the application identifier, and the redirect uri if any, and the directory identifier of your subscription.

Program

In your program, you will have to:

  • add the package Microsoft.Identity.Client to your application
  • Get the Token from Azure using the following code 
 IPublicClientApplication app = PublicClientApplicationBuilder.Create(applicationId) .WithRedirectUri(redirectUri) .WithAuthority($"https://login.microsoftonline.com/{directoryId}") .WithTenantId(directoryId) .Build(); string[] scopes = new string[] { "https://vault.azure.net/user_impersonation" }; Microsoft.Identity.Client.AuthenticationResult result = null; var accounts = await app.GetAccountsAsync(); try { result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault()) .ExecuteAsync(); } catch (MsalUiRequiredException msalUiEx) { // A MsalUiRequiredException happened on AcquireTokenSilent. // This indicates you need to call AcquireTokenInteractive to acquire a token //System.Diagnostics.Debug.WriteLine($"MsalUiRequiredException: {msalUiEx.Message}"); try { result = await app.AcquireTokenInteractive(scopes) .ExecuteAsync(); // Msal.Utils.extractIdToken } catch (MsalException msalex) { throw; } }
Enter fullscreen mode Exit fullscreen mode
  • then, we can instantiate a keyvault client using the token 
 HttpClient client = new HttpClient(); keyVaultClient = new KeyVaultClient(async (authority, resource, scope) => { return result.AccessToken; }, client);
Enter fullscreen mode Exit fullscreen mode

Note that

  • AcquireTokenInteractive will request from the user to fill its account / password using the configured parameters (using only work and school account or not) in a popup
  • the token is available in result.AccessToken, which will expire at result.ExpiresOn
  • the user account has to have an access policy to the key vault
  • Scopes cannot be combined if it relates to different resources ( "https://vault.azure.net/user_impersonation", "User.Read" can't work for example, 2 calls has to be made)
  • Github issue providing a lot of informations

Hope this helps !

Top comments (0)