Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WebToolsE2E][Aspire]After wiring up ASP.NET Core app with Aspire to Azure Key Vault, F5 failed with exception: xxx does not have secrets list permission on key vault. #2695

Closed
v-cazhang opened this issue Mar 7, 2024 · 1 comment
Closed

[WebToolsE2E][Aspire]After wiring up ASP.NET Core app with Aspire to Azure Key Vault, F5 failed with exception: xxx does not have secrets list permission on key vault. #2695

v-cazhang opened this issue Mar 7, 2024 · 1 comment
Labels
area-integrations Issues pertaining to Aspire Integrations packages

Comments

@v-cazhang
Copy link

v-cazhang commented Mar 7, 2024
edited
Loading

REGRESSION INFO: Also repro on Aspire 8.0.0-preview.3.24105.21

INSTALL STEPS

  1. Clean machine: Win11 x64 23h2 ENU
  2. Install 17.10.0 Preview 2.0 [34701.141.d17.10] (Includes Aspire 8.0.0-preview.4.24129.7)
  3. Apply NuGet Feeds
  4. Install Docker Desktop

REPRO STEPS

  1. New Project > ASP.NET Core Empty project > name it AspireKeyVault > .NET 8.0 > check 'Enlist in Aspire Orchestration' > create
  2. Open appsettings.json of AspireKeyVault.AppHost project, add connection string:
"ConnectionStrings": {
  "secretConnectionName": "https://<vault_account_name>.vault.azure.net/"
}
  1. Open Program.cs of AspireKeyVault.AppHost project, add following codes:
var keyVault = builder.AddConnectionString("[secretConnectionName]");
var myService = builder.AddProject<Projects.AspireKeyVault02>("aspirekeyvault02")
                  .WithReference(keyVault);
  1. Right-click AspireKeyVault project > Add > Aspire component > install Aspire.Azure.Security.KeyVault
  2. In the Program.cs of AspireKeyVault project, type following codes:
builder.Configuration.AddKeyVaultSecrets("secretConnectionName");
  1. Then add following codes in the Program.cs:
string? _mySecret = builder.Configuration["secrets"];
var result = string.IsNullOrEmpty(_mySecret) ? "Null" : _mySecret;
//app.MapGet("/", () => "Hello World!");
app.MapGet("/", async context =>
{
      await context.Response.WriteAsync($"Secret is {result}");
});
  1. Build and F5

Note:

  1. In the step 3, if using var keyVault = builder.AddAzureKeyVault("asp1vault"); (need to install Aspire.Hosting,Azure package), it will meet [WebToolsE2E][Aspire]After adding Azure Key Vault to AppHost project, F5 failed with exception: One or more errors occurred. (No output for vaultUri) #2674

ACTUAL
It shows an exception during F5
image
Azure.RequestFailedException
HResult=0x80131500
Message=The user, group or application 'appid=d5b1cd63-06dc-4e84-a24b-88ba48c90381;oid=d0ed9c42-be47-43b8-921f-a10a71a81718;numgroups=1;iss=https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/' does not have secrets list permission on key vault 'asp1vault;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287
Status: 403 (Forbidden)
ErrorCode: Forbidden

Content:
{"error":{"code":"Forbidden","message":"The user, group or application 'appid=d5b1cd63-06dc-4e84-a24b-88ba48c90381;oid=d0ed9c42-be47-43b8-921f-a10a71a81718;numgroups=1;iss=https://sts.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/' does not have secrets list permission on key vault 'asp1vault;location=eastus'. For help resolving this issue, please see https://go.microsoft.com/fwlink/?linkid=2125287","innererror":{"code":"AccessDenied"}}}

Headers:
Cache-Control: no-cache
Pragma: no-cache
x-ms-keyvault-region: eastus
x-ms-client-request-id: 5d3833af-a396-4040-a8b9-98d1d9e43f15
x-ms-request-id: ce9e7702-d951-44aa-a41f-25fa40c17f46
x-ms-keyvault-service-version: 1.9.1300.1
x-ms-keyvault-network-info: conn_type=Ipv4;addr=104.44.112.227;act_addr_fam=InterNetwork;
X-Content-Type-Options: REDACTED
Strict-Transport-Security: REDACTED
Date: Thu, 07 Mar 2024 04:50:20 GMT
Content-Length: 444
Content-Type: application/json; charset=utf-8
Expires: -1

Source=Azure.Security.KeyVault.Secrets
StackTrace:
at Azure.Security.KeyVault.KeyVaultPipeline.SendRequest(Request request, CancellationToken cancellationToken)
at Azure.Security.KeyVault.KeyVaultPipeline.GetPage[T](Uri firstPageUri, String nextLink, Func1 itemFactory, String operationName, CancellationToken cancellationToken) at Azure.Security.KeyVault.Secrets.SecretClient.<>c__DisplayClass15_0.<GetPropertiesOfSecrets>b__0(String nextLink) at Azure.Core.PageResponseEnumerator.<>c__DisplayClass0_01.b__0(String continuationToken, Nullable1 pageSizeHint) at Azure.Core.PageResponseEnumerator.FuncPageable1.d__2.MoveNext()
at Azure.Pageable1.<GetEnumerator>d__8.MoveNext() at Azure.Extensions.AspNetCore.Configuration.Secrets.AzureKeyVaultConfigurationProvider.Load() at Microsoft.Extensions.Configuration.ConfigurationManager.AddSource(IConfigurationSource source) at Microsoft.Extensions.Configuration.ConfigurationManager.Microsoft.Extensions.Configuration.IConfigurationBuilder.Add(IConfigurationSource source) at Microsoft.Extensions.Configuration.AzureKeyVaultConfigurationExtensions.AddAzureKeyVault(IConfigurationBuilder configurationBuilder, SecretClient client, AzureKeyVaultConfigurationOptions options) at Microsoft.Extensions.Hosting.AspireKeyVaultExtensions.AddKeyVaultSecrets(IConfigurationManager configurationManager, String connectionName, Action1 configureSettings, Action`1 configureClientOptions, AzureKeyVaultConfigurationOptions options)
at Program.

$(String[] args) in C:\Users\v-cazhang\source\repos\AspireKeyVault\AspireKeyVault\Program.cs:line 2

EXPECTED
F5 successfully.
@dotnet-issue-labeler dotnet-issue-labeler bot added the area-integrations Issues pertaining to Aspire Integrations packages label Mar 7, 2024
@davidfowl
Copy link
Member

Dupe of #2621 (comment)

@github-actions github-actions bot locked and limited conversation to collaborators Apr 18, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
area-integrations Issues pertaining to Aspire Integrations packages
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davidfowl @v-cazhang