AzureSignTool icon indicating copy to clipboard operation
AzureSignTool copied to clipboard

Published 20 hours ago verified publisher icon vcsjones

Accessing keys stored in Azure Government Key Vault

Open vincentl2189 opened this issue 2 years ago • 7 comments

I'm attempting to access a key stored in an Azure Government Key Vault and I am receiving the following error. AADSTS900382: Confidential Client is not supported in Cross Cloud request I am using these options -du -kvu -kvt -kvi -kvs -kvc -tr -v Is there a method to specify my Azure enviroment?

vincentl2189 avatar Apr 08 '22 19:04 vincentl2189

Hm.. I think need to provide an option to specify "other" clouds here

https://github.com/vcsjones/AzureSignTool/blob/d3cd68a58943f44b8e28618e371f9090a2b4e6da/src/AzureSignTool/KeyVaultConfigurationDiscoverer.cs#L34

Otherwise it is going to use https://login.microsoftonline.com which won't work for Gov Cloud.

I am going to be doing a release to move to .NET 6, I'll sneak a change in there that will allow specifying other clouds (German, Gov cloud).

vcsjones avatar Apr 08 '22 19:04 vcsjones

@vincentl2189 would you be willing to try a pre-release when I have one available that contains a fix?

vcsjones avatar Apr 08 '22 19:04 vcsjones

Sure can.

vincentl2189 avatar Apr 09 '22 01:04 vincentl2189

@vcsjones / @vincentl2189

I do have this working in Azure Government with a previous release - not sure new code is needed.

I use the following parameters --azure-key-vault-url --azure-key-vault-accesstoken

Edit: I'll admit it's possible acquiring the token through a separate process somewhat sidesteps the issue.

garrett-wood avatar Apr 09 '22 01:04 garrett-wood

I confirmed that using --azure-key-vault-accesstoken bypasses the issue for me too.

vincentl2189 avatar Apr 12 '22 15:04 vincentl2189

I am similarly afflicted and watching for a fix.

It appears the 2.0.17 version of the tool does not run into this issue.

cswillenbrock avatar Apr 15 '22 19:04 cswillenbrock

@cswillenbrock For a quick workaround, like @garrett-wood said above, you can generate a token. This is the powershell I wrote the token generation. $curltoken = curl.exe -X POST -H 'Content-Type: application/x-www-form-urlencoded' https://login.microsoftonline.us/$TENANTID/oauth2/v2.0/token -d 'client_id=$CLIENTID' -d 'grant_type=client_credentials' -d 'scope=https://vault.usgovcloudapi.net/.default' -d client_secret="$(SigningCertName)" $output = $curltoken | ConvertFrom-Json $apptoken = $output.access_token azuresigntool sign -v -du "$(SigningURL)" -kvu "$(SigningVaultURL)" -kva $apptoken -kvc "$(SigningCertName)" -tr http://ts.ssl.com -v "$(Build.Repository.LocalPath)\Program.exe"

The parentheses are only for devops variables.

vincentl2189 avatar Apr 15 '22 19:04 vincentl2189

You can specify the authority host via an environment variable before using azuresigntool. This is how I use it in our pipelines to connect to Azure Gov.

$env:AZURE_AUTHORITY_HOST="https://login.microsoftonline.us/"
azuresigntool <your_args>

The Azure.Identity package reads this env variable, but I think this package should expose an option to specify what cloud to use so it's more visible to the end user. Not many people know about the environment variable option.

hymccord avatar Jan 09 '23 16:01 hymccord

You can specify the authority host via an environment variable before using azuresigntool. This is how I use it in our pipelines to connect to Azure Gov.

$env:AZURE_AUTHORITY_HOST="https://login.microsoftonline.us/"
azuresigntool <your_args>

The Azure.Identity package reads this env variable, but I think this package should expose an option to specify what cloud to use so it's more visible to the end user. Not many people know about the environment variable option.

This worked for me, thanks!!

philnwoha avatar Jul 10 '23 19:07 philnwoha