Skip to main content
Version: v1.3.0

Authentication

As of today we support a few authentication mechanisms.

Managed Service Identity

You can use Managed Service Identity to delegate the authentication to Azure via ManagedServiceIdentityAuthentication.

This is the recommended approach to interact with Azure Key Vault.

var vaultAuthentication = new ManagedServiceIdentityAuthentication();
var vaultConfiguration = new KeyVaultConfiguration(keyVaultUri);
var keyVaultSecretProvider = new KeyVaultSecretProvider(vaultAuthentication, vaultConfiguration);

If you require more control over the authentication mechanism you can optionally specify an AzureServiceTokenProvider connection string &/or Azure AD instance.

var connectionString = Configuration.GetConnectionString("Arcus:MSI:ConnectionString");
var azureAdInstance = Configuration.GetValue<string>("Arcus:MSI:AzureAdInstance");
var vaultAuthentication = new ManagedServiceIdentityAuthentication(connectionString, azureAdInstance);
var vaultConfiguration = new KeyVaultConfiguration(keyVaultUri);
var keyVaultSecretProvider = new KeyVaultSecretProvider(vaultAuthentication, vaultConfiguration);

See Service-to-service authentication to Azure Key Vault using .NET - Connection String Support for supported connection strings and National clouds - Azure AD authentication endpoints for valid azure AD instances

Service Principle

Authentication via username and password is supported with the ServicePrincipalAuthentication.

var clientId = Configuration.GetValue<string>("Arcus:ServicePrincipal:ClientId");
var clientKey = Configuration.GetValue<string>("Arcus:ServicePrincipal:AccessKey");

var vaultAuthentication = new ServicePrincipalAuthentication(clientId, clientKey);
var vaultConfiguration = new KeyVaultConfiguration(keyVaultUri);
var keyVaultSecretProvider = new KeyVaultSecretProvider(vaultAuthentication, vaultConfiguration);

Certificate

Authentication via client ID and certificate is supported with the CertificateBasedAuthentication.

var clientId = Configuration.GetValue<string>("Arcus:ServicePrincipal:ClientId");
X509Certificate2 certificate = ...

var vaultAuthentication = new CertificateBasedAuthentication(clientId, certificate);
var vaultConfiguration = new KeyVaultConfiguration(keyVaultUri);
var keyVaultSecretProvider = new KeyVaultSecretProvider(vaultAuthentication, vaultConfiguration);