Accessing keys stored in Azure Government Key Vault

[vincentl2189]

I'm attempting to access a key stored in an Azure Government Key Vault and I am receiving the following error. AADSTS900382: Confidential Client is not supported in Cross Cloud request I am using these options -du -kvu -kvt -kvi -kvs -kvc -tr -v Is there a method to specify my Azure enviroment?

[vcsjones]

Hm.. I think need to provide an option to specify "other" clouds here

https://github.com/vcsjones/AzureSignTool/blob/d3cd68a58943f44b8e28618e371f9090a2b4e6da/src/AzureSignTool/KeyVaultConfigurationDiscoverer.cs#L34

Otherwise it is going to use https://login.microsoftonline.com which won't work for Gov Cloud.

I am going to be doing a release to move to .NET 6, I'll sneak a change in there that will allow specifying other clouds (German, Gov cloud).

[vcsjones]

@vincentl2189 would you be willing to try a pre-release when I have one available that contains a fix?

[vincentl2189]

Sure can.

[garrett-wood]

@vcsjones / @vincentl2189

I do have this working in Azure Government with a previous release - not sure new code is needed.

I use the following parameters --azure-key-vault-url --azure-key-vault-accesstoken

Edit: I'll admit it's possible acquiring the token through a separate process somewhat sidesteps the issue.

[vincentl2189]

I confirmed that using --azure-key-vault-accesstoken bypasses the issue for me too.

[cswillenbrock]

I am similarly afflicted and watching for a fix.

It appears the 2.0.17 version of the tool does not run into this issue.

[vincentl2189]

@cswillenbrock For a quick workaround, like @garrett-wood said above, you can generate a token. This is the powershell I wrote the token generation. $curltoken = curl.exe -X POST -H 'Content-Type: application/x-www-form-urlencoded' https://login.microsoftonline.us/$TENANTID/oauth2/v2.0/token -d 'client_id=$CLIENTID' -d 'grant_type=client_credentials' -d 'scope=https://vault.usgovcloudapi.net/.default' -d client_secret="$(SigningCertName)" $output = $curltoken | ConvertFrom-Json $apptoken = $output.access_token azuresigntool sign -v -du "$(SigningURL)" -kvu "$(SigningVaultURL)" -kva $apptoken -kvc "$(SigningCertName)" -tr http://ts.ssl.com -v "$(Build.Repository.LocalPath)\Program.exe"

The parentheses are only for devops variables.

[hymccord]

You can specify the authority host via an environment variable before using azuresigntool. This is how I use it in our pipelines to connect to Azure Gov.

$env:AZURE_AUTHORITY_HOST="https://login.microsoftonline.us/"
azuresigntool <your_args>

The Azure.Identity package reads this env variable, but I think this package should expose an option to specify what cloud to use so it's more visible to the end user. Not many people know about the environment variable option.

[philnwoha]

You can specify the authority host via an environment variable before using azuresigntool. This is how I use it in our pipelines to connect to Azure Gov.

$env:AZURE_AUTHORITY_HOST="https://login.microsoftonline.us/"
azuresigntool <your_args>

The Azure.Identity package reads this env variable, but I think this package should expose an option to specify what cloud to use so it's more visible to the end user. Not many people know about the environment variable option.

This worked for me, thanks!!