0

I am trying to get some secrets from a KeyVault in AzureChinaCloud. I have the following code that is working fine for an AzureCloud KeyVault, however when I change the KeyVault address to one in China it no longer works.

using Azure.Identity;
using Azure.Security.KeyVault.Secrets;
using Azure.Core;
using System;
namespace maintenance.connections
{
    public class AzureKeyVault
    {
        private const Int64 Delay = 2;
        private const Int64 MaxDelay = 16;
        private const Int32 MaxRetries = 5;
        private SecretClientOptions Options { get; set; }
        public SecretClient Secrets { get; set; }
        public AzureKeyVault(Uri VaultUrl)
        {
            Options = new SecretClientOptions();
            Options.Retry.Delay = TimeSpan.FromSeconds(Delay);
            Options.Retry.MaxDelay = TimeSpan.FromSeconds(MaxDelay);
            Options.Retry.MaxRetries = MaxRetries;
            Options.Retry.Mode = RetryMode.Exponential;
            DefaultAzureCredentialOptions CredentialOptions = new DefaultAzureCredentialOptions();
            if (Environment.GetEnvironmentVariable("AuthorityHost") != null)
            {
                CredentialOptions.AuthorityHost = new Uri(Environment.GetEnvironmentVariable("AuthorityHost")); //AuthorityHost = https://login.chinacloudapi.cn/
            }
            Secrets = new SecretClient(VaultUrl, new DefaultAzureCredential(CredentialOptions), Options);
        }
    }
}

When I execute Secrets.GetSecret(SecretName) I get the following error

AADSTS90002: Tenant 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant.

Do you know what I am missing? The TenanId exist and the credentials set on environment variables has permissions.

delucaezequiel
  • 483
  • 2
  • 9
  • 26
  • Are you setting the `AZURE_TENANT_ID` environment variable used by `DefaultAzureCredential`? – Jesse Squire May 20 '22 at 13:35
  • Yes, I have the following environment variables set AZURE_TENANT_ID, AZURE_CLIENT_ID and AZURE_CLIENT_SECRET. Also I tried it directly from and Azure Function in China configured to use a SystemManaged Identity and the same error is displayed – delucaezequiel May 20 '22 at 13:54
  • Hello, unless you are ok sharing your tenant id please post your answer in https://learn.microsoft.com/en-us/answers/topics/azure-active-directory.html so that we can handle it privately. – AlfredoRevilla-MSFT May 20 '22 at 14:15
  • Hello again, do you still need help? – AlfredoRevilla-MSFT Jun 02 '22 at 16:47
  • yes, I do. I post a question in https://learn.microsoft.com/en-us/answers/questions/857908/c-azuresdk-secretclient-how-to-authenticate-agains.html, but still unsolved – delucaezequiel Jun 03 '22 at 17:08

0 Answers0