Azure Function Error: DefaultAzureCredential failed to retrieve a token from the included credentials

Question

I have an azure function that connects to a keyvault using a managed identity. This is working without issue in Azure.

I have to make changes to the function but cannot get it working from visual studio 2022.

When i run code to get the DefaultAzureCredential (code below) i get an error:

var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = userAssignedManagedIdentityClientID });

Error:

DefaultAzureCredential failed to retrieve a token from the included credentials. See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/defaultazurecredential/troubleshoot

Its not a keyvault permissions issue, as i have not even been able to get a token from azure, before trying to access the keyvault.

What I have tried:

• I have run az login, from both powershell on my desktop and from powershell console within Visual studio.
• Sign into visual studio with an account that has access to all the resources in azure.
• Within Visual Studio > Tools > Options > Azure Service Authentication i have signed in with an account that has access to the resources.

Answer 1

Refer this SO answer by Dasari Kamali. For retrieving secret value in Azure Function via Visual Studio.

I agree with Gaurav Mantri try implementing : var credential = new DefaultAzureCredential(); in your code:-

My user who is logged in to Visual Studio with PowerShell terminal and Profile having Key vault administrator role assigned at the Key vault level like below: -

I have enabled RBAC based access for Key vault, You can enable Access policy-based authorization and assign correct keyvault role to the user.

My Function1.cs code:-

using System;
using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using Azure.Core;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Azure.WebJobs;
using Microsoft.Azure.WebJobs.Extensions.Http;
using Azure;
using System.Threading.Tasks;

public static class KeyVaultFunction
{
    [FunctionName("GetKeyVaultValue")]
    public static async Task<IActionResult> GetKeyVaultValue(
        [HttpTrigger(AuthorizationLevel.Function, "get", Route = null)] HttpRequest req)
    {
        try
        {
            string keyVaultName = Environment.GetEnvironmentVariable("keyVaultName");
            var kvUri = "https://valeeykeyvlt.vault.azure.net/";

            var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
            var secretName = "secret1";
            var secret = await client.GetSecretAsync(secretName);

            string keyVaultValue = secret.Value.Value;
            return new OkObjectResult(keyVaultValue);
        }
        catch (RequestFailedException ex)
        {
            return new StatusCodeResult((int)ex.Status);
        }
        catch (Exception ex)
        {
            return new StatusCodeResult(500);
        }
    }
}

Output:-

Visual Studio settings:-

az login
az account set --subscription "xxxxxxxx"