Azure Storage Client Side Encryption












0















I'm trying to test client side encryption with an azure storage account. So far I've created a resource group and put my KeyVault, Registered App on Active Directory and inside my keyVault I've created a secret.



I think im failing to map my secret to my storage account, but I figured that they should work if they are in the same resource group.



enter image description here



$key = "qwertyuiopasdfgh"

$b = [System.Text.Encoding]::UTF8.GetBytes($key)

$enc = [System.Convert]::ToBase64String($b)

$secretvalue = ConvertTo-SecureString $enc -AsPlainText -Force



$secret = Set-AzureKeyVaultSecret -VaultName 'ectotecStorageKeyVault' -Name 'ectotecSecret' -SecretValue $secretvalue -ContentType "application/octet-stream"


![enter image description here



The problem is that im getting an invalid secret provided error with the following code:



namespace cifradoApp



{



class Program



    {



    private async static Task<string> GetToken(string authority, string resource, string scope)

    {

        var authContext = new AuthenticationContext(authority);

        ClientCredential clientCred = new ClientCredential(

            ConfigurationManager.AppSettings["clientId"],

            ConfigurationManager.AppSettings["clientSecret"]);

        AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);



        if (result == null)

            throw new InvalidOperationException("Failed to obtain the JWT token");



        return result.AccessToken;

    }



    static void Main(string args)

    {











        // This is standard code to interact with Blob storage.

        StorageCredentials creds = new StorageCredentials(

           ConfigurationManager.AppSettings["accountName"],

           ConfigurationManager.AppSettings["accountKey"]

        );



        CloudStorageAccount account = new CloudStorageAccount(creds, useHttps: true);

        CloudBlobClient client = account.CreateCloudBlobClient();

        CloudBlobContainer contain = client.GetContainerReference(ConfigurationManager.AppSettings["container"]);

        contain.CreateIfNotExists();



        // The Resolver object is used to interact with Key Vault for Azure Storage.

        // This is where the GetToken method from above is used.

        KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(GetToken);





        // Retrieve the key that you created previously.

        // The IKey that is returned here is an RsaKey.

        // Remember that we used the names contosokeyvault and testrsakey1.

        var rsa = cloudResolver.ResolveKeyAsync("https://ectotecstoragekeyvault.vault.azure.net/secrets/ectotecSecret/dee97a40c78a4638bbb3fa0d3e13f75e", CancellationToken.None).GetAwaiter().GetResult();



        // Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy.

        BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null);

        BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy };



        // Reference a block blob.

        CloudBlockBlob blob = contain.GetBlockBlobReference("BlobPruebaEncrypted.txt");



        // Upload using the UploadFromStream method.

        using (var stream = System.IO.File.OpenRead(@"C:UsersmoiseDesktopectotec stuffVisual StudioazureStorageSamplecontainerBlobPrueba.txt"))

        blob.UploadFromStream(stream, stream.Length, null, options, null);







    }















}

}


My app settings seems to be working fine, since i valide before with only my account and key to access the storage account, since I made tests without trying to do client side encryption, everything worked out just fine. The problem comes with the secret it seems.



ERROR WHEN I TRY TO UPLOAD SOMETHING TO MY STORAGE ACCOUNT CONTAINER(BLOB)



AdalException: {"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.rnTrace ID: 52047a12-b950-4d8a-9206-120e383feb00rnCorrelation ID: e2ad8afe-4272-49aa-94c0-5dad435ffc45rnTimestamp: 2019-01-02 17:10:32Z","error_codes":[70002,50012],"timestamp":"2019-01-02 17:10:32Z","trace_id":"52047a12-b950-4d8a-9206-120e383feb00","correlation_id":"e2ad8afe-4272-49aa-94c0-5dad435ffc45"}: Unknown error



<appSettings>

  <add key="accountName" value="sampleExample"/>

  <add key="accountKey" value="KeyForMyApp"/>

  <add key="clientId" value="app-id"/>

  <add key="clientSecret" value="qwertyuiopasdfgh"/>

  <add key="container" value="ectotec-sample2"/>

</appSettings>


I'm trying to replicate the example in this tutorial:



https://docs.microsoft.com/en-us/azure/storage/blobs/storage-encrypt-decrypt-blobs-key-vault






c# encryption azure-storage azure-keyvault







share|improve this question























  • Have you granted your app access to read the secrets in Key Vault? This is separate to having RBAC rights on KV.

    – Sam Cogan
    Jan 2 at 17:38











  • I haven't. That's actually what I've been trying to find out how to do, but I'm clueless. Any intel would be really appreciated.

    – Alexandro Navarro
    Jan 2 at 17:48











  • See answer below

    – Sam Cogan
    Jan 2 at 17:53
















0















I'm trying to test client side encryption with an azure storage account. So far I've created a resource group and put my KeyVault, Registered App on Active Directory and inside my keyVault I've created a secret.



I think im failing to map my secret to my storage account, but I figured that they should work if they are in the same resource group.



enter image description here



$key = "qwertyuiopasdfgh"

$b = [System.Text.Encoding]::UTF8.GetBytes($key)

$enc = [System.Convert]::ToBase64String($b)

$secretvalue = ConvertTo-SecureString $enc -AsPlainText -Force



$secret = Set-AzureKeyVaultSecret -VaultName 'ectotecStorageKeyVault' -Name 'ectotecSecret' -SecretValue $secretvalue -ContentType "application/octet-stream"


![enter image description here



The problem is that im getting an invalid secret provided error with the following code:



namespace cifradoApp



{



class Program



    {



    private async static Task<string> GetToken(string authority, string resource, string scope)

    {

        var authContext = new AuthenticationContext(authority);

        ClientCredential clientCred = new ClientCredential(

            ConfigurationManager.AppSettings["clientId"],

            ConfigurationManager.AppSettings["clientSecret"]);

        AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);



        if (result == null)

            throw new InvalidOperationException("Failed to obtain the JWT token");



        return result.AccessToken;

    }



    static void Main(string args)

    {











        // This is standard code to interact with Blob storage.

        StorageCredentials creds = new StorageCredentials(

           ConfigurationManager.AppSettings["accountName"],

           ConfigurationManager.AppSettings["accountKey"]

        );



        CloudStorageAccount account = new CloudStorageAccount(creds, useHttps: true);

        CloudBlobClient client = account.CreateCloudBlobClient();

        CloudBlobContainer contain = client.GetContainerReference(ConfigurationManager.AppSettings["container"]);

        contain.CreateIfNotExists();



        // The Resolver object is used to interact with Key Vault for Azure Storage.

        // This is where the GetToken method from above is used.

        KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(GetToken);





        // Retrieve the key that you created previously.

        // The IKey that is returned here is an RsaKey.

        // Remember that we used the names contosokeyvault and testrsakey1.

        var rsa = cloudResolver.ResolveKeyAsync("https://ectotecstoragekeyvault.vault.azure.net/secrets/ectotecSecret/dee97a40c78a4638bbb3fa0d3e13f75e", CancellationToken.None).GetAwaiter().GetResult();



        // Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy.

        BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null);

        BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy };



        // Reference a block blob.

        CloudBlockBlob blob = contain.GetBlockBlobReference("BlobPruebaEncrypted.txt");



        // Upload using the UploadFromStream method.

        using (var stream = System.IO.File.OpenRead(@"C:UsersmoiseDesktopectotec stuffVisual StudioazureStorageSamplecontainerBlobPrueba.txt"))

        blob.UploadFromStream(stream, stream.Length, null, options, null);







    }















}

}


My app settings seems to be working fine, since i valide before with only my account and key to access the storage account, since I made tests without trying to do client side encryption, everything worked out just fine. The problem comes with the secret it seems.



ERROR WHEN I TRY TO UPLOAD SOMETHING TO MY STORAGE ACCOUNT CONTAINER(BLOB)



AdalException: {"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.rnTrace ID: 52047a12-b950-4d8a-9206-120e383feb00rnCorrelation ID: e2ad8afe-4272-49aa-94c0-5dad435ffc45rnTimestamp: 2019-01-02 17:10:32Z","error_codes":[70002,50012],"timestamp":"2019-01-02 17:10:32Z","trace_id":"52047a12-b950-4d8a-9206-120e383feb00","correlation_id":"e2ad8afe-4272-49aa-94c0-5dad435ffc45"}: Unknown error



<appSettings>

  <add key="accountName" value="sampleExample"/>

  <add key="accountKey" value="KeyForMyApp"/>

  <add key="clientId" value="app-id"/>

  <add key="clientSecret" value="qwertyuiopasdfgh"/>

  <add key="container" value="ectotec-sample2"/>

</appSettings>


I'm trying to replicate the example in this tutorial:



https://docs.microsoft.com/en-us/azure/storage/blobs/storage-encrypt-decrypt-blobs-key-vault






c# encryption azure-storage azure-keyvault







share|improve this question























  • Have you granted your app access to read the secrets in Key Vault? This is separate to having RBAC rights on KV.

    – Sam Cogan
    Jan 2 at 17:38











  • I haven't. That's actually what I've been trying to find out how to do, but I'm clueless. Any intel would be really appreciated.

    – Alexandro Navarro
    Jan 2 at 17:48











  • See answer below

    – Sam Cogan
    Jan 2 at 17:53














0












0








0








I'm trying to test client side encryption with an azure storage account. So far I've created a resource group and put my KeyVault, Registered App on Active Directory and inside my keyVault I've created a secret.



I think im failing to map my secret to my storage account, but I figured that they should work if they are in the same resource group.



enter image description here



$key = "qwertyuiopasdfgh"

$b = [System.Text.Encoding]::UTF8.GetBytes($key)

$enc = [System.Convert]::ToBase64String($b)

$secretvalue = ConvertTo-SecureString $enc -AsPlainText -Force



$secret = Set-AzureKeyVaultSecret -VaultName 'ectotecStorageKeyVault' -Name 'ectotecSecret' -SecretValue $secretvalue -ContentType "application/octet-stream"


![enter image description here



The problem is that im getting an invalid secret provided error with the following code:



namespace cifradoApp



{



class Program



    {



    private async static Task<string> GetToken(string authority, string resource, string scope)

    {

        var authContext = new AuthenticationContext(authority);

        ClientCredential clientCred = new ClientCredential(

            ConfigurationManager.AppSettings["clientId"],

            ConfigurationManager.AppSettings["clientSecret"]);

        AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);



        if (result == null)

            throw new InvalidOperationException("Failed to obtain the JWT token");



        return result.AccessToken;

    }



    static void Main(string args)

    {











        // This is standard code to interact with Blob storage.

        StorageCredentials creds = new StorageCredentials(

           ConfigurationManager.AppSettings["accountName"],

           ConfigurationManager.AppSettings["accountKey"]

        );



        CloudStorageAccount account = new CloudStorageAccount(creds, useHttps: true);

        CloudBlobClient client = account.CreateCloudBlobClient();

        CloudBlobContainer contain = client.GetContainerReference(ConfigurationManager.AppSettings["container"]);

        contain.CreateIfNotExists();



        // The Resolver object is used to interact with Key Vault for Azure Storage.

        // This is where the GetToken method from above is used.

        KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(GetToken);





        // Retrieve the key that you created previously.

        // The IKey that is returned here is an RsaKey.

        // Remember that we used the names contosokeyvault and testrsakey1.

        var rsa = cloudResolver.ResolveKeyAsync("https://ectotecstoragekeyvault.vault.azure.net/secrets/ectotecSecret/dee97a40c78a4638bbb3fa0d3e13f75e", CancellationToken.None).GetAwaiter().GetResult();



        // Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy.

        BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null);

        BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy };



        // Reference a block blob.

        CloudBlockBlob blob = contain.GetBlockBlobReference("BlobPruebaEncrypted.txt");



        // Upload using the UploadFromStream method.

        using (var stream = System.IO.File.OpenRead(@"C:UsersmoiseDesktopectotec stuffVisual StudioazureStorageSamplecontainerBlobPrueba.txt"))

        blob.UploadFromStream(stream, stream.Length, null, options, null);







    }















}

}


My app settings seems to be working fine, since i valide before with only my account and key to access the storage account, since I made tests without trying to do client side encryption, everything worked out just fine. The problem comes with the secret it seems.



ERROR WHEN I TRY TO UPLOAD SOMETHING TO MY STORAGE ACCOUNT CONTAINER(BLOB)



AdalException: {"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.rnTrace ID: 52047a12-b950-4d8a-9206-120e383feb00rnCorrelation ID: e2ad8afe-4272-49aa-94c0-5dad435ffc45rnTimestamp: 2019-01-02 17:10:32Z","error_codes":[70002,50012],"timestamp":"2019-01-02 17:10:32Z","trace_id":"52047a12-b950-4d8a-9206-120e383feb00","correlation_id":"e2ad8afe-4272-49aa-94c0-5dad435ffc45"}: Unknown error



<appSettings>

  <add key="accountName" value="sampleExample"/>

  <add key="accountKey" value="KeyForMyApp"/>

  <add key="clientId" value="app-id"/>

  <add key="clientSecret" value="qwertyuiopasdfgh"/>

  <add key="container" value="ectotec-sample2"/>

</appSettings>


I'm trying to replicate the example in this tutorial:



https://docs.microsoft.com/en-us/azure/storage/blobs/storage-encrypt-decrypt-blobs-key-vault






c# encryption azure-storage azure-keyvault







share|improve this question














I'm trying to test client side encryption with an azure storage account. So far I've created a resource group and put my KeyVault, Registered App on Active Directory and inside my keyVault I've created a secret.



I think im failing to map my secret to my storage account, but I figured that they should work if they are in the same resource group.



enter image description here



$key = "qwertyuiopasdfgh"

$b = [System.Text.Encoding]::UTF8.GetBytes($key)

$enc = [System.Convert]::ToBase64String($b)

$secretvalue = ConvertTo-SecureString $enc -AsPlainText -Force



$secret = Set-AzureKeyVaultSecret -VaultName 'ectotecStorageKeyVault' -Name 'ectotecSecret' -SecretValue $secretvalue -ContentType "application/octet-stream"


![enter image description here



The problem is that im getting an invalid secret provided error with the following code:



namespace cifradoApp



{



class Program



    {



    private async static Task<string> GetToken(string authority, string resource, string scope)

    {

        var authContext = new AuthenticationContext(authority);

        ClientCredential clientCred = new ClientCredential(

            ConfigurationManager.AppSettings["clientId"],

            ConfigurationManager.AppSettings["clientSecret"]);

        AuthenticationResult result = await authContext.AcquireTokenAsync(resource, clientCred);



        if (result == null)

            throw new InvalidOperationException("Failed to obtain the JWT token");



        return result.AccessToken;

    }



    static void Main(string args)

    {











        // This is standard code to interact with Blob storage.

        StorageCredentials creds = new StorageCredentials(

           ConfigurationManager.AppSettings["accountName"],

           ConfigurationManager.AppSettings["accountKey"]

        );



        CloudStorageAccount account = new CloudStorageAccount(creds, useHttps: true);

        CloudBlobClient client = account.CreateCloudBlobClient();

        CloudBlobContainer contain = client.GetContainerReference(ConfigurationManager.AppSettings["container"]);

        contain.CreateIfNotExists();



        // The Resolver object is used to interact with Key Vault for Azure Storage.

        // This is where the GetToken method from above is used.

        KeyVaultKeyResolver cloudResolver = new KeyVaultKeyResolver(GetToken);





        // Retrieve the key that you created previously.

        // The IKey that is returned here is an RsaKey.

        // Remember that we used the names contosokeyvault and testrsakey1.

        var rsa = cloudResolver.ResolveKeyAsync("https://ectotecstoragekeyvault.vault.azure.net/secrets/ectotecSecret/dee97a40c78a4638bbb3fa0d3e13f75e", CancellationToken.None).GetAwaiter().GetResult();



        // Now you simply use the RSA key to encrypt by setting it in the BlobEncryptionPolicy.

        BlobEncryptionPolicy policy = new BlobEncryptionPolicy(rsa, null);

        BlobRequestOptions options = new BlobRequestOptions() { EncryptionPolicy = policy };



        // Reference a block blob.

        CloudBlockBlob blob = contain.GetBlockBlobReference("BlobPruebaEncrypted.txt");



        // Upload using the UploadFromStream method.

        using (var stream = System.IO.File.OpenRead(@"C:UsersmoiseDesktopectotec stuffVisual StudioazureStorageSamplecontainerBlobPrueba.txt"))

        blob.UploadFromStream(stream, stream.Length, null, options, null);







    }















}

}


My app settings seems to be working fine, since i valide before with only my account and key to access the storage account, since I made tests without trying to do client side encryption, everything worked out just fine. The problem comes with the secret it seems.



ERROR WHEN I TRY TO UPLOAD SOMETHING TO MY STORAGE ACCOUNT CONTAINER(BLOB)



AdalException: {"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.rnTrace ID: 52047a12-b950-4d8a-9206-120e383feb00rnCorrelation ID: e2ad8afe-4272-49aa-94c0-5dad435ffc45rnTimestamp: 2019-01-02 17:10:32Z","error_codes":[70002,50012],"timestamp":"2019-01-02 17:10:32Z","trace_id":"52047a12-b950-4d8a-9206-120e383feb00","correlation_id":"e2ad8afe-4272-49aa-94c0-5dad435ffc45"}: Unknown error



<appSettings>

  <add key="accountName" value="sampleExample"/>

  <add key="accountKey" value="KeyForMyApp"/>

  <add key="clientId" value="app-id"/>

  <add key="clientSecret" value="qwertyuiopasdfgh"/>

  <add key="container" value="ectotec-sample2"/>

</appSettings>


I'm trying to replicate the example in this tutorial:



https://docs.microsoft.com/en-us/azure/storage/blobs/storage-encrypt-decrypt-blobs-key-vault






c# encryption azure-storage azure-keyvault




c# encryption azure-storage azure-keyvault






share|improve this question













share|improve this question











share|improve this question




share|improve this question










asked Jan 2 at 17:15









Alexandro NavarroAlexandro Navarro

347




347













  • Have you granted your app access to read the secrets in Key Vault? This is separate to having RBAC rights on KV.

    – Sam Cogan
    Jan 2 at 17:38











  • I haven't. That's actually what I've been trying to find out how to do, but I'm clueless. Any intel would be really appreciated.

    – Alexandro Navarro
    Jan 2 at 17:48











  • See answer below

    – Sam Cogan
    Jan 2 at 17:53



















  • Have you granted your app access to read the secrets in Key Vault? This is separate to having RBAC rights on KV.

    – Sam Cogan
    Jan 2 at 17:38











  • I haven't. That's actually what I've been trying to find out how to do, but I'm clueless. Any intel would be really appreciated.

    – Alexandro Navarro
    Jan 2 at 17:48











  • See answer below

    – Sam Cogan
    Jan 2 at 17:53

















Have you granted your app access to read the secrets in Key Vault? This is separate to having RBAC rights on KV.

– Sam Cogan
Jan 2 at 17:38





Have you granted your app access to read the secrets in Key Vault? This is separate to having RBAC rights on KV.

– Sam Cogan
Jan 2 at 17:38













I haven't. That's actually what I've been trying to find out how to do, but I'm clueless. Any intel would be really appreciated.

– Alexandro Navarro
Jan 2 at 17:48





I haven't. That's actually what I've been trying to find out how to do, but I'm clueless. Any intel would be really appreciated.

– Alexandro Navarro
Jan 2 at 17:48













See answer below

– Sam Cogan
Jan 2 at 17:53





See answer below

– Sam Cogan
Jan 2 at 17:53












1 Answer
1






active

oldest

votes


















2














You need to make sure that you have granted your appliation rights to read keys. This is seperate from the RBAC permissions on the Key Vault.



To do this, browse to teh Key Vault in the portal, on the menu on the left you will see a settings section, and under here an item called "access policies", click on this.



Access Policies



You then want to click the "Add New" button. In the window that opens, click on the "Select Principal" section, and then enter in the name or application ID of the application you want to have access. Select the appropriate permissions for keys, secrets or certificates and then click OK.



This will take you back to the list of authorised users, be sure to click save at the top left (it isn't obvious you need to do this), your app should then have access.






share|improve this answer
























  • Thank you for your time @. I've granted my application the rights to read keys. I've noticed that on my storage account, there's an option for encryption and I can select keys from my vault, when I select my vault it only allows me to select the keys, but not the secrets in the vault. Basically, I'm unable to "map" a secret to my storage account.

    – Alexandro Navarro
    Jan 2 at 19:05











  • The option in the portal for encryption is for server side encryption of the whole storage account (the Key Vault link is for bring your own key) this isn't what you want if you are looking for client side encryption

    – Sam Cogan
    Jan 2 at 19:07











  • Alright.Just to make sure: account name -> [storage account name], account key -> [storage account key], client id -> [application id], client secret -> [my secret value?], container -> [my storage account blob container]

    – Alexandro Navarro
    Jan 2 at 20:07













  • Client secret is wrong, this is the secret/password for your application, it should have been displayed when you created the app if you used the cli, if not you can find it in the properties of the app, you’ll need to create a new one under the keys section.

    – Sam Cogan
    Jan 2 at 20:22











Your Answer






StackExchange.ifUsing("editor", function () {
StackExchange.using("externalEditor", function () {
StackExchange.using("snippets", function () {
StackExchange.snippets.init();
});
});
}, "code-snippets");

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "1"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54010508%2fazure-storage-client-side-encryption%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























1 Answer
1






active

oldest

votes








1 Answer
1






active

oldest

votes









active

oldest

votes






active

oldest

votes









2














You need to make sure that you have granted your appliation rights to read keys. This is seperate from the RBAC permissions on the Key Vault.



To do this, browse to teh Key Vault in the portal, on the menu on the left you will see a settings section, and under here an item called "access policies", click on this.



Access Policies



You then want to click the "Add New" button. In the window that opens, click on the "Select Principal" section, and then enter in the name or application ID of the application you want to have access. Select the appropriate permissions for keys, secrets or certificates and then click OK.



This will take you back to the list of authorised users, be sure to click save at the top left (it isn't obvious you need to do this), your app should then have access.






share|improve this answer
























  • Thank you for your time @. I've granted my application the rights to read keys. I've noticed that on my storage account, there's an option for encryption and I can select keys from my vault, when I select my vault it only allows me to select the keys, but not the secrets in the vault. Basically, I'm unable to "map" a secret to my storage account.

    – Alexandro Navarro
    Jan 2 at 19:05











  • The option in the portal for encryption is for server side encryption of the whole storage account (the Key Vault link is for bring your own key) this isn't what you want if you are looking for client side encryption

    – Sam Cogan
    Jan 2 at 19:07











  • Alright.Just to make sure: account name -> [storage account name], account key -> [storage account key], client id -> [application id], client secret -> [my secret value?], container -> [my storage account blob container]

    – Alexandro Navarro
    Jan 2 at 20:07













  • Client secret is wrong, this is the secret/password for your application, it should have been displayed when you created the app if you used the cli, if not you can find it in the properties of the app, you’ll need to create a new one under the keys section.

    – Sam Cogan
    Jan 2 at 20:22
















2














You need to make sure that you have granted your appliation rights to read keys. This is seperate from the RBAC permissions on the Key Vault.



To do this, browse to teh Key Vault in the portal, on the menu on the left you will see a settings section, and under here an item called "access policies", click on this.



Access Policies



You then want to click the "Add New" button. In the window that opens, click on the "Select Principal" section, and then enter in the name or application ID of the application you want to have access. Select the appropriate permissions for keys, secrets or certificates and then click OK.



This will take you back to the list of authorised users, be sure to click save at the top left (it isn't obvious you need to do this), your app should then have access.






share|improve this answer
























  • Thank you for your time @. I've granted my application the rights to read keys. I've noticed that on my storage account, there's an option for encryption and I can select keys from my vault, when I select my vault it only allows me to select the keys, but not the secrets in the vault. Basically, I'm unable to "map" a secret to my storage account.

    – Alexandro Navarro
    Jan 2 at 19:05











  • The option in the portal for encryption is for server side encryption of the whole storage account (the Key Vault link is for bring your own key) this isn't what you want if you are looking for client side encryption

    – Sam Cogan
    Jan 2 at 19:07











  • Alright.Just to make sure: account name -> [storage account name], account key -> [storage account key], client id -> [application id], client secret -> [my secret value?], container -> [my storage account blob container]

    – Alexandro Navarro
    Jan 2 at 20:07













  • Client secret is wrong, this is the secret/password for your application, it should have been displayed when you created the app if you used the cli, if not you can find it in the properties of the app, you’ll need to create a new one under the keys section.

    – Sam Cogan
    Jan 2 at 20:22














2












2








2







You need to make sure that you have granted your appliation rights to read keys. This is seperate from the RBAC permissions on the Key Vault.



To do this, browse to teh Key Vault in the portal, on the menu on the left you will see a settings section, and under here an item called "access policies", click on this.



Access Policies



You then want to click the "Add New" button. In the window that opens, click on the "Select Principal" section, and then enter in the name or application ID of the application you want to have access. Select the appropriate permissions for keys, secrets or certificates and then click OK.



This will take you back to the list of authorised users, be sure to click save at the top left (it isn't obvious you need to do this), your app should then have access.






share|improve this answer













You need to make sure that you have granted your appliation rights to read keys. This is seperate from the RBAC permissions on the Key Vault.



To do this, browse to teh Key Vault in the portal, on the menu on the left you will see a settings section, and under here an item called "access policies", click on this.



Access Policies



You then want to click the "Add New" button. In the window that opens, click on the "Select Principal" section, and then enter in the name or application ID of the application you want to have access. Select the appropriate permissions for keys, secrets or certificates and then click OK.



This will take you back to the list of authorised users, be sure to click save at the top left (it isn't obvious you need to do this), your app should then have access.







share|improve this answer












share|improve this answer



share|improve this answer










answered Jan 2 at 17:53









Sam CoganSam Cogan

2,08263063




2,08263063













  • Thank you for your time @. I've granted my application the rights to read keys. I've noticed that on my storage account, there's an option for encryption and I can select keys from my vault, when I select my vault it only allows me to select the keys, but not the secrets in the vault. Basically, I'm unable to "map" a secret to my storage account.

    – Alexandro Navarro
    Jan 2 at 19:05











  • The option in the portal for encryption is for server side encryption of the whole storage account (the Key Vault link is for bring your own key) this isn't what you want if you are looking for client side encryption

    – Sam Cogan
    Jan 2 at 19:07











  • Alright.Just to make sure: account name -> [storage account name], account key -> [storage account key], client id -> [application id], client secret -> [my secret value?], container -> [my storage account blob container]

    – Alexandro Navarro
    Jan 2 at 20:07













  • Client secret is wrong, this is the secret/password for your application, it should have been displayed when you created the app if you used the cli, if not you can find it in the properties of the app, you’ll need to create a new one under the keys section.

    – Sam Cogan
    Jan 2 at 20:22



















  • Thank you for your time @. I've granted my application the rights to read keys. I've noticed that on my storage account, there's an option for encryption and I can select keys from my vault, when I select my vault it only allows me to select the keys, but not the secrets in the vault. Basically, I'm unable to "map" a secret to my storage account.

    – Alexandro Navarro
    Jan 2 at 19:05











  • The option in the portal for encryption is for server side encryption of the whole storage account (the Key Vault link is for bring your own key) this isn't what you want if you are looking for client side encryption

    – Sam Cogan
    Jan 2 at 19:07











  • Alright.Just to make sure: account name -> [storage account name], account key -> [storage account key], client id -> [application id], client secret -> [my secret value?], container -> [my storage account blob container]

    – Alexandro Navarro
    Jan 2 at 20:07













  • Client secret is wrong, this is the secret/password for your application, it should have been displayed when you created the app if you used the cli, if not you can find it in the properties of the app, you’ll need to create a new one under the keys section.

    – Sam Cogan
    Jan 2 at 20:22

















Thank you for your time @. I've granted my application the rights to read keys. I've noticed that on my storage account, there's an option for encryption and I can select keys from my vault, when I select my vault it only allows me to select the keys, but not the secrets in the vault. Basically, I'm unable to "map" a secret to my storage account.

– Alexandro Navarro
Jan 2 at 19:05





Thank you for your time @. I've granted my application the rights to read keys. I've noticed that on my storage account, there's an option for encryption and I can select keys from my vault, when I select my vault it only allows me to select the keys, but not the secrets in the vault. Basically, I'm unable to "map" a secret to my storage account.

– Alexandro Navarro
Jan 2 at 19:05













The option in the portal for encryption is for server side encryption of the whole storage account (the Key Vault link is for bring your own key) this isn't what you want if you are looking for client side encryption

– Sam Cogan
Jan 2 at 19:07





The option in the portal for encryption is for server side encryption of the whole storage account (the Key Vault link is for bring your own key) this isn't what you want if you are looking for client side encryption

– Sam Cogan
Jan 2 at 19:07













Alright.Just to make sure: account name -> [storage account name], account key -> [storage account key], client id -> [application id], client secret -> [my secret value?], container -> [my storage account blob container]

– Alexandro Navarro
Jan 2 at 20:07







Alright.Just to make sure: account name -> [storage account name], account key -> [storage account key], client id -> [application id], client secret -> [my secret value?], container -> [my storage account blob container]

– Alexandro Navarro
Jan 2 at 20:07















Client secret is wrong, this is the secret/password for your application, it should have been displayed when you created the app if you used the cli, if not you can find it in the properties of the app, you’ll need to create a new one under the keys section.

– Sam Cogan
Jan 2 at 20:22





Client secret is wrong, this is the secret/password for your application, it should have been displayed when you created the app if you used the cli, if not you can find it in the properties of the app, you’ll need to create a new one under the keys section.

– Sam Cogan
Jan 2 at 20:22




















draft saved

draft discarded




















































Thanks for contributing an answer to Stack Overflow!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f54010508%2fazure-storage-client-side-encryption%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

Monofisismo

Image
Monofisismo (do grego: monos - "único, singular" e physis - "natureza") é o ponto de vista cristológico que defende que, depois da união do divino e do humano na encarnação histórica, Jesus Cristo, como encarnação do Filho ou Verbo ( Logos ) de Deus, teria apenas uma única "natureza", a divina, e não uma síntese de ambas. O monofisismo é contraposto pelo diofisismo (ou "diafisismo"), que defende que Jesus preservou em si as duas naturezas. Historicamente, o monofisismo se refere primordialmente à posição dos que (especialmente no Egito e, em menor grau, na Síria) rejeitaram as decisões do Concílio de Calcedônia em 451 (o quarto concílio ecumênico). Os membros mais moderados entre eles, porém, defendem a teologia "miafisita", que se tornou a oficial para as Igrejas Ortodoxas Orientais. Muitos ortodoxos orientais, porém, rejeitam essa classificação, mesmo como um termo genérico, mas ele é amplamente utilizado na literatura históri...
Read more

Angular Downloading a file using contenturl with Basic Authentication

Image
0 I have a contentUrl when user clicks on that,file should be downloaded. If I try to browse the contentUrl in the browser it asks for Userid and password.I believe this is Basic Authentication.I dont want user to enter UserId and Password so I am passing it Authorization(Please see below code). Url looks some thing like this: http://XXX.XXX.XX.XXX:8080/flowable-rest/service/runtime/tasks/90875/attachments/90555/content let username : string = 'admin'; let pwd : string = 'test'; let headers = new Headers(); headers.set('Accept', 'text/json'); headers.append('Content-Type', 'application/json'); headers.set('Access-Control-Allow-Origin', '*'); headers.set('Access-Control-Allow-Methods','POST, GET, OPTIONS, PUT, DELETE'); head...
Read more

Olmecas

Image
Monumento 1, uma das quatro cabeças colossais encontradas em La Venta, com altura aproximada de 3 metros Olmecas é a designação do povo e da civilização que estiveram na origem da antiga cultura pré-colombiana da Mesoamérica e que se desenvolveram nas regiões tropicais do centro-sul do atual México durante o pré-clássico, próximo de onde hoje estão localizados os estados mexicanos de Veracruz e Tabasco, no Istmo de Tehuantepec, numa zona designada área nuclear olmeca. A cultura olmeca floresceu nesta região aproximadamente entre 1500 e 400 a.C., [ 1 ] e crê-se que tenha sido a civilização-mãe de todas as civilizações mesoamericanas que se desenvolveram posteriormente. [ 2 ] No entanto, desconhece-se a sua exacta filiação étnica, ainda que existam numerosas hipóteses colocadas para tentar resolver esta questão. O etnónimo olmeca foi cunhado pelos arqueólogos do século XX, e não devem confundir-se com os muito posteriores olmecas-xicalancas que ocuparam vários locais do México...
Read more