This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 6%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESB%3C/text%3E%3C/svg%3E)
I am in the process of migrating Cloud Service Classic to Cloud Service Extended Support which I also want to get working with Key Vault.
The application has been successfully migrated and without any KV changes to code/webconfig it publishes fine.
Once KV is added I can gain access to the certificate no problem during deployment following the guidance below.
> You also need to enable Key Vault 'Access policies' (in portal) for 'Azure Virtual Machines for deployment' so that Cloud Services (extended support) resource can retrieve certificate stored as secrets from Key Vault
This works fine, I can pick up the cert from the key vault.
When debugging locally I can access the keys/secrets contained within the KV as its authenticating against my account. The code works fine locally so I assume there are no problems here.
When I publish to the Cloud Service Extended Support I get the following error.
DefaultAzureCredential failed to retrieve a token from the included credentials.
Self explanatory really.
I assume using KV to gain access to certificates, keys and secrets needs to use a service principal account which in turn needs access to the KV via an access policy.
I assume the setting above does not give access to anything inside the VM once built and only gives permission to install the certificate on deployment?
The documentation isn't very clear.
If anyone has done this before if you could share any documentation, I assume accessing the KV through code as you would a standard VM. There is no Azure functionality which configures the identity via an Azure setting, i.e the one mentioned above.
please close this, I managed to get this resolved adding the correct environment variables.
@Steven Brown
I apologize for the delayed response, but thank you for following up on this and I'm glad that you were able to resolve your issue!
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 13%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESN%3C/text%3E%3C/svg%3E)
How did you solve this? I am curious to know as I am trying to do the same.
Create a SP account, give it access to the key vault either by RBAC or access policy then set the following env variables on your vm/cs. You’ll have to create a script to do this for it to be executed on startup.
AZURE_TENANT_ID
AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
word of warning. I’ve since moved away from them. The access to KV was very hit and miss and caused quite a few problems on a production environment. I really wouldn’t recommend it.