vault-get | Get a value from Vault | Identity Management library

I am following directions here for learning the AzureKeyVault config settings

Key Vault Configuration Provider sample application (ASP.NET Core 2.x)

This sample illustrates the use of the Azure Key Vault Configuration Provider for ASP.NET Core 2.x. For the ASP.NET Core 1.x sample, see Key Vault Configuration Provider sample application (ASP.NET Core 1.x).

For more information on how the sample works, see the Azure Key Vault configuration provider topic.

Using the sample

1. Create a key vault and set up Azure Active Directory (Azure AD) for the application following the guidance in Get started with Azure Key Vault.

   • Add secrets to the key vault using the AzureRM Key Vault PowerShell Module available from the PowerShell Gallery, the Azure Key Vault REST API, or the Azure Portal. Secrets are created as either Manual or Certificate secrets. Certificate secrets are certificates for use by apps and services but are not supported by the configuration provider. You should use the Manual option to create name-value pair secrets for use with the configuration provider.
     • Simple secrets are created as name-value pairs. Azure Key Vault secret names are limited to alphanumeric characters and dashes.
     • Hierarchical values (configuration sections) use -- (two dashes) as a separator in the sample. Colons, which are normally used to delimit a section from a subkey in ASP.NET Core configuration, aren't allowed in secret names. Therefore, two dashes are used and swapped for a colon when the secrets are loaded into the app's configuration.
     • Create two Manual secrets with the following name-value pairs. The first secret is a simple name and value, and the second secret creates a secret value with a section and subkey in the secret name:
       • SecretName: secret_value_1
       • Section--SecretName: secret_value_2
   • Register the sample app with Azure Active Directory.
   • Authorize the app to access the key vault. When you use the Set-AzureRmKeyVaultAccessPolicy PowerShell cmdlet to authorize the app to access the key vault, provide List and Get access to secrets with -PermissionsToSecrets list,get.

2. Update the app's appsettings.json file with the values of Vault, ClientId, and ClientSecret.

3. Run the sample app, which obtains its configuration values from IConfigurationRoot with the same name as the secret name. * Non-hierarchical values: The value for SecretName is obtained with config["SecretName"]. * Hierarchical values (sections): Use : (colon) notation or the GetSection extension method. Use either of these approaches to obtain the configuration value:
   • config["Section:SecretName"]
   • config.GetSection("Section")["SecretName"]

Okay so I have copied the name of my application into Azure Active Directory as an 'Enterprise Application'. And I have added 'Access policies' for 'get' and 'list' in Azure for my ADD object I just created. Yet I get this error in the program when attempting to start the application:

From my question here I understand that I can set up an application registration in Active Directory, and that I can use the application ID and a key that I set up within the application registration in order to authenticate.

Where is an example on how to do that?

What has the combination of the application ID (which I understand to also be called the client ID) and the key I add to the keys collection got to do with the Service Principal?

[Update]

From this link about service principals

If I understand it correctly we are no longer talking about "application key", we are talking about "application credentials". I am guessing this is the same thing?

The following paragraph has me hopelessly confused about the difference between "application credentials", "sign in credentials", and "service principal's credentials":

"To sign in with a service principal, use the -ServicePrincipal argument with the Connect-AzureRmAccount cmdlet. You will also need the service princpal's application ID, sign-in credentials, and the tenant ID associate with the service principal. In order to get the service principal's credentials as the appropriate object, use the Get-Credential cmdlet. This cmdlet will display a dialog box to enter the service principal user ID and password into."

[Update]

From the answer to my question here I have been able to run HelloKeyVault using the following app settings:

VaultUrl, AuthClientId and AuthCertThumbprint

There is no mention of a service principal or "key" or a "token"

I am just trying to understand the instructions at https://docs.microsoft.com/en-gb/azure/key-vault/key-vault-get-started at this stage.

In the help at Microsoft Docs under the section Register an application with Azure Active Directory it is mentioned

"Applications that use a key vault must authenticate by using a token from Azure Active Directory. To do this, the owner of the application must first register the application in their Azure Active Directory. At the end of registration, the application owner gets the following values:

1) An Application ID

2) An authentication key (also known as the shared secret).

The application must present both these values to Azure Active Directory, to get a token."

I have just created an application registration and I can see an Application ID but where do I find the authentication key?

The steps do show how to add a key manually, is that what is meant, I have to add a key and then I will have one?

The instructions say

"9. On the Settings blade click on keys

10.Type in a description in the Key description box and select a duration, and then click SAVE. The page refreshes and now shows a key value.

1. You will use the Application ID and the Key information in the next step to set permissions on your vault."

I am attempting to follow these instructions to set up Azure Key Vault, and I am on the step to "Register an application with Azure Active Directory".

In the instructions, there is this guideline:

Important: To complete the tutorial, your account, the vault, and the application that you will register in this step must all be in the same Azure directory.

Three important pieces of info about my configuration:

1. Since our team is using Azure Active Directory B2C and not Azure AD, the AAD B2C instance is in a different directory, as shown in the top right corner of the screenshot below.
2. Our web app (name MyApp) is registered to AAD B2C within Directory2, as shown by the circle in the middle of the screenshot below.
3. However, the actual Web Application resource is in Directory1, as shown in the screenshot below

How should I move forward? Should I move the KeyVault & MyApp to Directory2 or move the AAD B2C instance to Directory1?

I used the following powershell commands to create an Azure Key Vault: