none
Using a proxy for keyvaultclient RRS feed

  • Question

  • Hi,

    My service is currently behind a firewall and to access the keyvault  in azure I'm using a proxy.

    The proxy have these adresses whitelisted:

    login.microsoftonline.com:443

    management.azure.com:443

    graph.windows.net:443

    *.vault.azure.net:443

    login.windows.net:443

    login.microsoftonline.com:443

    microsoft.com:443

    And this is how I setup my keyvaultclient in my code:

                var keyVault = GetKeyVaultClient(keyVaultConfigSection, clientConfigSection);
                SecretBundle certificate;
                try
                {
                    certificate = keyVault.GetSecretAsync(keyVaultConfigSection.Vault, "certificate").GetAwaiter().GetResult();
                }
                catch(Exception e)
                {
                    throw new CertificateException("Error fetching certificate from Keyvault.", e);
                }
    
            internal static KeyVaultClient GetKeyVaultClient(KeyVaultConfigSection keyVaultConfigSection, ClientConfigSection clientConfigSection)
            {
                HttpClient httpClient = null;
    
                //proxy
                if (EnvironmentControl.UseProxyEnvironment())
                {
                    var handler = new HttpClientHandler()
                    {
                        Proxy = new WebProxy(keyVaultConfigSection.Proxy),
                        UseProxy = true
                    };
                    httpClient = new HttpClient(handler);
                }
    
                return new KeyVaultClient(async (authority, resource, scope) =>
                    {
                        var authContext = new AuthenticationContext(authority);
                        var clientCred = new ClientCredential(clientConfigSection.ClientId, clientConfigSection.ClientSecret);
                        var result = await authContext.AcquireTokenAsync(resource, clientCred);
                        if (result == null)
                            throw new InvalidOperationException("Failed to retrieve access token for Key Vault");
                        return result.AccessToken;
                    }, httpClient ?? new HttpClient()
                );
            }

    But when running this code I get:

    Error fetching certificate from Keyvault.
    System.OperationCanceledException (-2146233029)
    The operation was canceled.
       at System.Net.Http.HttpClient.HandleFinishSendAsyncError(Exception e, CancellationTokenSource cts)
       at System.Net.Http.HttpClient.FinishSendAsyncBuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
       at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.HttpClientWrapper.GetResponseAsync()
       at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.AdalHttpClient.GetResponseAsync[T](Boolean respondToDeviceAuthChallenge)
       at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Http.AdalHttpClient.GetResponseAsync[T]()
       at Microsoft.IdentityModel.Clients.ActiveDirectory.InstanceDiscovery.DiscoverAsync(Uri authority, Boolean validateAuthority, RequestContext requestContext)
       at Microsoft.IdentityModel.Clients.ActiveDirectory.InstanceDiscovery.GetMetadataEntryAsync(Uri authority, Boolean validateAuthority, RequestContext requestContext)
       at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Instance.Authenticator.UpdateFromTemplateAsync(RequestContext requestContext)
       at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.PreRunAsync()
       at Microsoft.IdentityModel.Clients.ActiveDirectory.Internal.Flows.AcquireTokenHandlerBase.RunAsync()
       at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenForClientCommonAsync(String resource, ClientKey clientKey)
       at Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenAsync(String resource, ClientCredential clientCredential)
       at -------------------------------.<>c__DisplayClass3_0.<b__0>d.MoveNext()
    --- End of stack trace from previous location where exception was thrown ---
       at Microsoft.Azure.KeyVault.KeyVaultCredential.PreAuthenticate(Uri url)
       at Microsoft.Azure.KeyVault.KeyVaultCredential.ProcessHttpRequestAsync(HttpRequestMessage request, CancellationToken cancellationToken)
       at Microsoft.Azure.KeyVault.KeyVaultClient.GetSecretWithHttpMessagesAsync(String vaultBaseUrl, String secretName, String secretVersion, Dictionary`2 customHeaders, CancellationToken cancellationToken)
       at Microsoft.Azure.KeyVault.KeyVaultClientExtensions.GetSecretAsync(IKeyVaultClient operations, String vaultBaseUrl, String secretName, CancellationToken cancellationToken)
       at ------------------------------
    --- End of inner exception stack trace ---
    This code works when not being behind a firewall, and also the proxy works for other httpclient requests.

    Friday, September 20, 2019 8:49 AM

All replies