.net azure-active-directory azure-keyvault microsoft-entra-id

Passing temporary .NET Azure Credentials to a Container

I have created a .NET F# application that I want to build into a container. But am not sure how to pass development/test Azure credentials into the container.

I am trying to access an Azure Key Vault secret from within the container to read data from a server.

I know that once the container is released to the live environment, I can use System-assigned Managed Identities from Azure. Before that though, I want to use a Dev credential to ensure the application can properly access the server.

So far, it seems like there are two possibilities:

Get a container image that has both .NET aspnet runtime dependencies and Azure CLI.
- Is there anywhere that this would already be provided? The mcr.microsoft.com/dotnet/aspnet doesn't have Azure CLI and the mcr.microsoft.com/azure-cli doesn't have .NET runtime.
Collect local credentials and pass them into the container in a form that are ready to be used.
- I would think I would need to login from my dev box, get the AccessToken through DefaultAzureCredentials.GetToken
- But once I have the huge string for the AccessToken, I cannot find any way to create a TokenCredential which will let the client connect.

Has anyone tried to work with this before? What is the way to get test credentials for a dev account into a container? Or is there some other way to do this test before releasing the container to the live environment?

Solution

There are three approaches for enabling development-time access to Azure Key Vault from a containerized .NET app.

Option 1 is to mount Developer Credentials into the Container

If you’ve already run az login on your development machine, you can mount your local Azure CLI auth context (~/.azure) into the container:

docker run -v ~/.azure:/root/.azure \
           -e AZURE_CONFIG_DIR=/root/.azure \
           my-fsharp-app

Then, in your app code, use:

let credential = DefaultAzureCredential()
let client = SecretClient(Uri("https://<your-keyvault>.vault.azure.net/"), credential)
let secret = client.GetSecret("MySecret")

DefaultAzureCredential will automatically detect the Azure CLI token from the mounted .azure directory.

Refer this MDOC for DefaultAzureCredential and Azure CLI Auth Tokens

Option 2 is to Pass Service Principal Credentials via Env Variables
For CI/CD or scripting, create a service principal:

az ad sp create-for-rbac --name dev-sp --sdk-auth

Pass the credentials to your container:

docker run -e AZURE_CLIENT_ID=xxxx \
           -e AZURE_TENANT_ID=yyyy \
           -e AZURE_CLIENT_SECRET=zzzz \
           my-fsharp-app

In your app:

let tenantId = Environment.GetEnvironmentVariable("AZURE_TENANT_ID")
let clientId = Environment.GetEnvironmentVariable("AZURE_CLIENT_ID")
let clientSecret = Environment.GetEnvironmentVariable("AZURE_CLIENT_SECRET")

let credential = ClientSecretCredential(tenantId, clientId, clientSecret)
let client = SecretClient(Uri("https://<your-keyvault>.vault.azure.net/"), credential)

Option 3 is to build a Custom Docker Image with Azure CLI

If you need both .NET and Azure CLI in the container, use a custom Dockerfile:

FROM mcr.microsoft.com/dotnet/aspnet:7.0

# Install Azure CLI
RUN apt-get update && \
    apt-get install -y ca-certificates curl apt-transport-https lsb-release gnupg && \
    curl -sL https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg && \
    install -o root -g root -m 644 microsoft.gpg /etc/apt/trusted.gpg.d/ && \
    echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $(lsb_release -cs) main" > /etc/apt/sources.list.d/azure-cli.list && \
    apt-get update && apt-get install -y azure-cli && \
    rm -rf /var/lib/apt/lists/*

WORKDIR /app
COPY ./publish .
ENTRYPOINT ["dotnet", "YourApp.dll"]

This lets you run az login directly in the container for debugging.