Closed balachir closed 5 months ago
@rajeshkamal5050 @davidfowl, I'm not sure if the issue here is in aspire or azd. So, I'm starting with the aspire repo.
cc: @eerhardt
@rajeshkamal5050 @davidfowl, I'm not sure if the issue here is in aspire or azd. So, I'm starting with the aspire repo.
cc: @eerhardt
@vhvb1989 can you check if anything related to azd?
@balachir - what is this line?
builder.Configuration.AddAzureKeyVault(keyVaultEndpoint, new VisualStudioCredential());
Are you leaving that in for the published app? VisualStudioCredential
only works when you are running from VS.
Note also, you need to assign a role assignment of the new ACA App as a "Key Vault Reader" to the existing Key Vault you are using.
Note also, you need to assign a role assignment of the new ACA App as a "Key Vault Reader" to the existing Key Vault you are using.
@eerhardt the role assignment should happen automatically. azd creates a managedIdentity and gives reading access to it. Then, a project (the aca App) uses that ManagedIdentity.
Looks like the only issue here is the use of the wrong credential.
the role assignment should happen automatically. azd creates a managedIdentity and gives reading access to it. Then, a project (the aca App) uses that ManagedIdentity.
How can it do that to an existing Azure KeyVault? azd doesn't even know that the connection string is a KeyVault.
mm, I guess I got confused with builder.AddAzureKeyVault("foo")
.
IIRC, that's for creating a new Key Vault. That's different than builder.Configuration.AddAzureKeyVault("")
, then?
In the repro steps, the AppHost code being used is:
var keyVault = builder.AddConnectionString("secretConnectionName", "VaultUri");
builder.AddProject<Projects.AspireAzureKeyVault01>("aspireazurekeyvault01")
.WithReference(keyVault);
Which means "I have an existing Key Vault that I want my app to use".
Interesting.
@eerhardt , what's the benefit of adding the connection string for a keyVault to the AppHost and then pulling the endpoint from the env with Environment.GetEnvironmentVariable("VaultUri")
from a project for pulling secrets from that key vault?
I'm trying to understand why I want to prefer this v/s using the VaultUri
directly from my project? (specially if the app container that is publish won't have read access to my existing kv).
Is it that maybe connectionString is a better fit for secrets? like a db connection that includes a connection key?
I don't see why making the project like:
builder.Configuration.AddAzureKeyVault("VaultUri", new DAC());
Would be any difference... The vaultUri doesn't need to be a secret, and does not give read access to secrets from it.
How can it do that to an existing Azure KeyVault? azd doesn't even know that the connection string is a KeyVault.
this issue is assigned to me but I’m hoping @mitchdenny ’s CDK work let us model this more readily
what's the benefit of adding the connection string for a keyVault to the AppHost
Because then it can be used in multiple service projects. You only need to set it in one place (the AppHost) and you can WithReference it to multiple projects.
and then pulling the endpoint from the env with Environment.GetEnvironmentVariable("VaultUri")
I don't know why this was used in the repro steps. Those two lines should just be:
-var keyVaultEndpoint = new Uri(Environment.GetEnvironmentVariable("VaultUri"));
-builder.Configuration.AddAzureKeyVault(keyVaultEndpoint, new VisualStudioCredential());
+builder.Configuration.AddKeyVaultSecrets("VaultUri");
Because then it can be used in multiple service projects. You only need to set it in one place (the AppHost) and you can WithReference it to multiple projects.
Can service projects pull the key vault endpoint from the system environment? Or from a project setting constants?
Using a key vault endpoint as a secret connection strings seems a little bit odd.
Specially if I need to call builder.Configuration.AddKeyVaultSecrets("VaultUri")
from the service project's code.
Maybe, it would make a lot of sense, if Aspire could automatically add the key vault to the Configuration
without manually calling Configuration.AddKeyVaultSecrets(..)
.
Like, changing this:
var keyVault = builder.AddConnectionString("secretConnectionName", "VaultUri");
builder.AddProject<Projects.AspireAzureKeyVault01>("aspireazurekeyvault01")
.WithReference(keyVault);
for:
var keyVault = builder.AddConnectionString("secretConnectionName", "VaultUri");
builder.AddProject<Projects.AspireAzureKeyVault01>("aspireazurekeyvault01")
.WithConfigKeyVault(keyVault);
A method like WithConfigKeyVault()
would allow Aspire to know that's a Key Vault to be set as App Configuration, so we need to assign read access for the ManagedIdentity and set the AppConfig.
Can service projects pull the key vault endpoint from the system environment? Or from a project setting constants?
The service projects call pull the key vault endpoint from wherever the configuration is set up, just like any other connection string.
Maybe, it would make a lot of sense, if Aspire could automatically add the key vault to the Configuration without manually calling Configuration.AddKeyVaultSecrets(..).
Feel free to open an issue suggesting this.
@vhvb1989 See https://github.com/dotnet/aspire/issues/2587. There are many scenarios with Keyvault varying from the application code using it to the compute fabric (aka the apphost in local dev) pulling from kv and pushing things into the app via environment variables.
and then pulling the endpoint from the env with Environment.GetEnvironmentVariable("VaultUri") I don't know why this was used in the repro steps.
@eerhardt regarding the above question, I was trying to mimic what the VS Connected Service tooling does. Today, in a non-aspire app, when I try to add an Azure Key Vault using the VS Connected Services UI, it adds the VaultUri as an environment variable in launchSettings.json and then pass that to Configuration. I'll try using Configuration.AddKeyVaultSecrets
instead like you suggested and see if I can get that to work.
@eerhardt I tried using Configuration.AddKeyVaultSecrets
now but I cannot get F5 to work now due to an AccessDenied error. Is this a separate bug that I should open? Or am I missing something?
Details I did similar steps like shown in my Repro Steps above but made the following tweaks.
In WebApp01.AppHost project, I changed it like this
In WebApp01 project, I changed it like this
When I run the project, I see the following error
It says you don't have permission to the KeyVault. You need to enable it. https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-guide
Moving this to preview5 since it doesn't look like an issue with the product.
I'm going to close this issue as it looks like an Azure permission/configuration issue. @balachir - please re-open if Azure is set up correctly and if there is something Aspire is doing wrong.
REGRESSION INFO: We're using a new way in Aspire 8.0 P4 of connecting to KeyVault using AddConnectionString, so cannot really compare with Aspire 8.0 P3
INSTALL STEPS
REPRO STEPS
myAppSetting
var builder = WebApplication.CreateBuilder(args);
builder.AddServiceDefaults();
var keyVaultEndpoint = new Uri(Environment.GetEnvironmentVariable("VaultUri")); builder.Configuration.AddAzureKeyVault(keyVaultEndpoint, new VisualStudioCredential());
var app = builder.Build();
app.MapDefaultEndpoints();
//app.MapGet("/", () => "Hello World!"); string? _mySecret = builder.Configuration["myAppSetting"]; var result = string.IsNullOrEmpty(_mySecret) ? "Null" : _mySecret; app.MapGet("/", async context => { await context.Response.WriteAsync($"Secret is {result}"); });
app.Run();