Azure Key Vault (RBAC) and Local Developers?
Hey peeps,
I'm looking for a good solution pathway for a problem I'm encountering.
I'm currently trying to integrate Azure Key Vault for secrets storage on the development team side. There realistically is (this is opinionated) no better option to keep secrets from even the team (which is a requirement in my project). The issue, is that Azure is moving in favor of RBAC but the .NET support is still referencing Access Policies with certificates to gain access to vaults (https://learn.microsoft.com/en-us/aspnet/core/security/key-vault-configuration?view=aspnetcore-8.0)
Managed Identities are easy here but only work once the application is running in the Azure Service Fabric and I need to authenticate with RBAC for User Identities that exist in Entra from my local development machines.
The true issue here is when you enable RBAC for Azure Key Vault you disable Access Policies and vice versa.
Any thoughts would be appreciated.
1 Reply
I wanted to answer my own question here because the solution was extremely dumb:
There is a reason Azure provides RBAC with Entra and that is because if you're using tooling like Visual Studio and you're logged into Visual Studio with an Azure Entra Identity that has permissions to access Service Fabric Resources - you're already done.
You can use the Azure.Identity nuget with it's DefaultAzureCredential() type used like this:
var azureSettings = builder.Configuration.GetSection("Azure");
builder.Configuration.AddAzureKeyVault(
new Uri($"https://{azureSettings["KeyVault"]}.vault.azure.net/"),
new DefaultAzureCredential());
DefaultAzureCredential will grab the identity registered in visual studio and access the resource. You need to be mindful of your network layer of course but that's a different topic.
This allows developers to only need the Key Vault Name in the appsettings.json and bobs your uncle.