Aspnetcore.docs: Can you use Managed Identities on an app not deployed to Azure?
I have an application that I need to try and change because right now, the basic way which I implemented does not go through the corporate proxy. I noticed that the managed way has a KvClient class which has an HttpClient object to that I can add an HttpClientHandler with a new WebProxy with the corporate proxy information.
However, the app is hosted on prem, not in Azure.
My question is, is there a way to use the Managed Identity version for an application not deployed to Azure?
And if so, on the AzureServiceTokenProvider - where would I be able to get the connection string to allow this to happen?
Is any of this even recommended? I just wanted to ask here since the document says specifically that this way is for apps that are deployed to Azure.
Thanks!
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 2cc0b77a-df21-7007-5cec-4399d98c6dc6
- Version Independent ID: efe5ae5e-ff64-f1c7-6920-4512fc8f36d1
- Content: Azure Key Vault Configuration Provider in ASP.NET Core
- Content Source: aspnetcore/security/key-vault-configuration.md
- Product: aspnet-core
- GitHub Login: @guardrex
- Microsoft Alias: riande
Eldorian
All 8 comments
Hello @Eldorian ... That package Microsoft.Azure.Services.AppAuthentication isn't maintained by the ASP.NET Core team. Ask over on their repo :point_right: https://github.com/Azure/azure-sdk-for-net/issues. If they say it can be done and can point you to a spot in their docs that explains how to do it, then we can link their content in this topic.
I'm going to close this as not actionable at the moment, but we can re-open this later if they provide good news for this use case.
I'm not looking too closely, but there might be issues on that repo asking similar questions. For example ...
https://github.com/Azure/azure-sdk-for-net/issues/4968
... search around first before you ask in case someone else has already inquired with them.
guardrex
on 9 Feb 2019
Thanks @guardrex - this points me in the right direction and from looking things over there it does look like a path I won't be able to go down.
By any chance do you happen to know anyway to send the communication of the Key Vault through a corporate proxy? So far it appears the only option is by adding a range of IPs through the Firewall according to this article.
https://docs.microsoft.com/en-us/azure/key-vault/key-vault-access-behind-firewall
I've been researching this the last 2 days and I think I've come to the conclusion that it can't be done, but wanted to ask someone before I call it.
Eldorian
on 9 Feb 2019
Sorry, I don't have additional guidance. I noted that on their repo they have a link to Azure Forums, where you might be able to get some tips. There's always Slack, of course, and those cats work under all kinds of corporate scenarios.
guardrex
on 9 Feb 2019
@guardrex which Slack Channel are you talking about?
Eldorian
on 9 Feb 2019
Shane Boyer opened it up a while back around the time that Jabbr :cry: died 💀 ...
Self-signup: http://tattoocoder.com/aspnet-slack-sign-up/
guardrex
on 9 Feb 2019
I connect to Key Vault like this, for these use cases.
https://damienbod.com/2019/02/07/using-azure-key-vault-from-an-non-azure-app/
damienbod
on 9 Feb 2019
Thanks @damienbod - that example is basically how I am already connecting to the Azure Key Vault.
What I am trying to accomplish is if there is a way to force this connection to use a corporate proxy. Unfortunately this method does not do that.
Eldorian
on 9 Feb 2019
Yes, we currently document it in the non-MSI case.
I think the two main endpoints in Azure are ... {KEY_VAULT}.vault.azure.net and login.microsoft.net both on 443. Now if you have to go by IP address ranges given your network firewall requirements, then yeah ... that's more challenging ... but hopefully covered by those docs that you found.
guardrex
on 9 Feb 2019
Related issues
danroth27
·
3Comments
neman
·
3Comments
Raghumu
·
3Comments
aaron-bozit
·
3Comments
Rick-Anderson
·
3Comments