Azure-sdk-for-net: Fetching secrets from KeyVault with Microsoft.Azure.Services.AppAuthentication is slow for the first call
Continuing the discussion from the issue #4645 (as the mentioned issue is closed)
I tried using the connection string RunAs=Developer; DeveloperTool=VisualStudio and it skipped the second call (as shown in the image below) and directly went on to make the third call. So, the overall time it takes to fetch the access token and then secret is approx 4-6 seconds.
This is the code to initialize the key vault
static ConfigUtils()
{
// https://docs.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=dotnet#asal
var azureServiceTokenProvider = new AzureServiceTokenProvider("RunAs=Developer; DeveloperTool=VisualStudio");
vaultClient = new KeyVaultClient(new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
}
This is the code to fetch the secret
try
{
var secret = await vaultClient.GetSecretAsync(key);
return secret.Value;
}
My main concern is that it makes the first call (connection to key vault) as soon as it executes the line: var secret = await vaultClient.GetSecretAsync(key); but then it makes the third call in the image above (skips the second call when using connection string: RunAs=Developer; DeveloperTool=VisualStudio) but there is a delay of nearly 3 sec between the two calls.
Is it possible to reduce that delay between calls? @nonik0 would you be able to help here?
abhiyadav1323
All 9 comments
Thank you for your feedback. Tagging and routing to the team best able to assist.
jsquire
on 12 Sep 2020
//cc: @AlexGhiondea
jsquire
on 12 Sep 2020
@AlexGhiondea @nonik0 Would it be possible for you guys to give a brief explanation as to why there is a delay between the call to connect to key vault and call to login.microsoft.com to fetch access token (nearly 3 sec) even when using the connection string RunAs=Developer; DeveloperTool=VisualStudio?
abhiyadav1323
on 17 Sep 2020
@nonik0 do you happen to know the answer to this?
AlexGhiondea
on 17 Sep 2020
Sorry for delay here. I took a look and I am able to repro this as well. The access token call overall takes 5-8 seconds for me using VS token provider. I took a look in our flow where this time is being spent and 90-95% of the time is in this call.
This is the code that is calling and waiting for the VS TokenProvider tool to return an access token. Any significant improvement in the overall time of this call would need to come from Visual Studio and its token provider tool.
nonik0
on 6 Oct 2020
@nonik0 who should we contact here? can you please add someone from visual studio team in this thread so that he/she can get a chance to look at it?
abhiyadav1323
on 7 Oct 2020
@abhiyadav1323 I also took a look with Fiddler and also verified there's a 4-5 second gap between the HTTP requests (specifically the challenge request and then secret request to KV), even when VS has a cached access token. I will check with my VS contact.
nonik0
on 15 Oct 2020
The token provider tool uses a couple of processes which need to start up in order to function. Because of this, depending on whether or not the process information has already been read into memory the start up times for those processes can be long or short.
This is a current limitation of how the VS token provider works, we are looking at ways to not have as many processes (or any) started to get the information requested, this is something we are looking at for a future release of VS.
crmann1
on 15 Oct 2020
Visual Studio is aware of the issue and will be fixed in a future release of VS
anaismiller
on 4 Dec 2020
Related issues
philoushka
路
3Comments
cannehag
路
4Comments
shahabhijeet
路
3Comments
AliGuemues
路
3Comments
vladbarosan
路
4Comments
Most helpful comment
Visual Studio is aware of the issue and will be fixed in a future release of VS