- .NET 9 console app that demonstrates using Azure Arc machine managed identity with Azure Key Vault to:
- Write and read a simple secret (mySecret)
- Retrieve a database connection string (dbconnection) and perform basic INSERT/SELECT/DELETE against a local SQL Server container
- .NET SDK 9
- Docker Desktop (for local SQL Server)
- An Azure subscription
- A Key Vault
- An Azure Arc-enabled server (if testing managed identity from an Arc machine)
- Visual Studio (run as Administrator when debugging this sample on Windows/Arc)
- Start SQL Server in Docker and create schema
- Run KeyVaultManagedIdentityArc/setup-sql.cmd
- The script will: create a docker network, start SQL Server 2022, create database Contacts, create login appuser, grant db_owner, and print a ready-to-use connection string
- Create Key Vault secrets
- Create or identify a Key Vault
- Add secret mySecret with any value you choose
- Add secret dbconnection with the connection string printed by the setup script
- Configure the app
- Edit KeyVaultManagedIdentityArc/appsettings.json
- secretName: name of the simple secret (default mySecret)
- connectionStringName: name of the connection string secret (default dbconnection)
- keyVaultName: your Key Vault name
- KvUri: https://{your-key-vault-name}.vault.azure.net/
- Edit KeyVaultManagedIdentityArc/appsettings.json
- Run
- Build and run the KeyVaultManagedIdentityArc project
- The app will update/read the simple secret and then connect to SQL using the connection string from Key Vault
DefaultAzureCredential automatically uses the Azure Arc Managed Identity flow on an Arc-enabled server. This flow requires access to private key files stored by the Azure Connected Machine Agent:
- Token key directory: C:\ProgramData\AzureConnectedMachineAgent\Tokens
These files are ACL’d to protect the private key. If the run account cannot read them, you will see AuthenticationFailedException with UnauthorizedAccessException (access to Tokens .key is denied).
To run successfully, choose one:
- Run Visual Studio or the app “as Administrator”.
- Grant the run account read/execute on the Tokens directory (applies to future keys as well):
- PowerShell (elevated): icacls "C:\ProgramData\AzureConnectedMachineAgent\Tokens" /grant "":(RX)
Also ensure the Arc agent is healthy and the managed identity has Key Vault access (e.g., Secrets Officer or Key Vault Administrator for the demo).
- Check services: Get-Service -Name "Azure Connected Machine Agent"; Get-Service -Name himds
- Arc agent status: azcmagent show
If you do not want to use Arc MI on the machine (or to avoid changing folder ACLs), exclude Managed Identity and rely on developer credentials (Visual Studio/Azure CLI). Ensure the developer identity has Key Vault access.
- Local SQL connection string example: Server=localhost,1433; Initial Catalog=Contacts; User ID=appuser; Password=S3cure.P@ss_2024; Encrypt=True; TrustServerCertificate=True;
- TrustServerCertificate=True is for local development only
- If SQL errors occur:
- Ensure setup-sql.cmd finished successfully and the container is running
- Verify connectivity with a SQL client using the appuser credentials
- Confirm the Key Vault dbconnection secret value exactly matches the expected connection string
- Ensure port 1433 is available on localhost
- UnauthorizedAccessException to Tokens .key file:
- Run elevated or grant RX to C:\ProgramData\AzureConnectedMachineAgent\Tokens
- Confirm Arc agent/HIMDS services are running
- Verify the Arc machine’s managed identity has Key Vault permissions
- When not on Arc, DefaultAzureCredential falls back to developer credentials; ensure they have access to the Key Vault
- KeyVaultManagedIdentityArc/Program.cs: Main sample logic for Key Vault and SQL access
- KeyVaultManagedIdentityArc/appsettings.json: Configuration (Key Vault and secret names)
- KeyVaultManagedIdentityArc/setup-sql.cmd: Idempotent Docker + SQL setup helper script
- Infra.bicep: Optional infrastructure as code entry point (customize as needed)
- Stop and remove the Docker container if not needed
- Remove Key Vault secrets created for the demo