Setting up Azure Key Vault for Debug and Production RRS feed

  • Question

  • I have been battling with using Azure Key Vault in both development and production versions of my app for several days now.  I can't seem to set things up correctly to gain access to my key vault from my app running locally during debug in VS 2017 or when deployed as a Web App on Azure.  When I use the CLI with my account and resource group set I have no problem accessing a secret in my vault.  However, when I try to access the same secret using the code below in my app I get an error stating that the access token was not obtained (paraphrased).

    Imports System.Threading.Tasks
    Imports Microsoft.Azure.KeyVault
    Imports Microsoft.Azure.KeyVault.Models
    Imports Microsoft.Azure.Services.AppAuthentication
    Imports Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider
    Public Class SocialXXXXXXX
    	Inherits System.Web.UI.Page
    	Public Property Message As String
    	Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
    		'Message = "Your application description page."
    		Dim retries As Integer = 0
    		Dim retry As Boolean = False
    			Dim azureServiceTokenProvider As AzureServiceTokenProvider = New AzureServiceTokenProvider()
    			Dim keyVaultClient As KeyVaultClient = New KeyVaultClient(New KeyVaultClient.AuthenticationCallback(AddressOf GetAccessTokenAsync))
    			Dim secret = keyVaultClient.GetSecretAsync("").Result
    			TextBox7.Text = secret.Value
    		Catch keyVaultException As KeyVaultErrorException
    			TextBox7.Text = keyVaultException.Message
    		End Try
    	End Sub
    	Private Shared Function getWaitTime(ByVal retryCount As Integer) As Long
    		Dim waitTime As Long = (CLng(Math.Pow(2, retryCount)) * 100L)
    		Return waitTime
    	End Function
    	Public Async Function GetAccessTokenAsync() As Task(Of String)
    		Dim azureServiceTokenProvider = New AzureServiceTokenProvider()
    		Dim accessToken As String = Await azureServiceTokenProvider.GetAccessTokenAsync("")
    		Return accessToken
    	End Function

    My Azure setup looks like this:

    Resource Group:XXXXXXXResources with Identity set to "On"

              Active Directory:App Registrations XXXXXXX with the owner being set to my Azure Account

              Key Vault:XXXXXXXKeyVault with My User Account having Get and List Permissions and the XXXXXXX from Active Directory also having Get and List Permissions

    I have found many tutorials on this and have tried to follow many of them but it seems that Azure has changed at a rate that makes it hard for me to follow the tutorials as many were based on earlier versions of the Azure Portal.

    Can you tell me where my error is?


    A couple of users on different forums have suggested that I use an approach that requires me to authenticate with an app secret, app id and tenant id see (  However, I am reluctant to go that route as instead of using MSI, it requires me to include my app secret either in my code or in a setting.  I have gone through many tutorials and even deleted everything other than my web app from Azure and started over following MS's tutorial at and followed Microsoft's recommendations verbatim (twice actually) and still have had not luck.  I have also found that others are having the same issue and thus far I have not found that anyone has solved it.  The problem appears to reside in the fact that Microsoft.Azure.Services.AppAuthentication is not authenticating the account which the developer is using for Azure Service Authentication (Tools>Azure>Azure Service Authentication in VS).  I am also unsure if something else may be wrong with Microsoft.Azure.Services.AppAuthentication since not only will my app not get the secret when debugging locally but it also does not get the secret when deployed on the same machine that the key vault resides on.   This is a very perplexing problem.

    • Edited by Jamberfx Wednesday, July 24, 2019 2:48 PM Update
    Tuesday, July 23, 2019 5:54 PM

All replies

  • I believe MSI is not setup correctly on the App Service or the application service principal is not added to Azure Key Vault access policies.  Can you please check if the environment variables MSI_EndPoint and MSI_Secret exists on the App service ?  I would also recommend you to go through the sample - Use Key Vault from App Service with Managed Service Identity if this helps.
    Thursday, July 25, 2019 1:10 AM
  • Thank you for your reply.  I checked the MSI-EndPoint and MSI_Secret and both exist on the App Service and the service principal is shown to have get/list permission in the access policies for the key vault.



    Thursday, July 25, 2019 10:51 AM
  • You need to pass "" to azureServiceTokenProvider.GetAccessTokenAsync method. e.g.
    Saturday, July 27, 2019 10:51 AM
  • I'm following up on this, please remember to mark one of the responses as answer if your question has been answered. If not please let us know if there are anymore questions.
    Tuesday, August 13, 2019 7:40 PM