Reputation: 1876
Azure Managed Identity from within a docker container running locally
I am running a docker container consisting of a asp.net core 2.2 api. This api needs access to Azure key vault and I have signed in into Visual studio with a user that has the right access policies on the Key Vault to retrieve secrets. However, when I use visual studio tools for docker to debug the container, this particular sign in does not seem to propogate inside the container running locally. But when i run the application locally(without running it in docker container) the asp net core configuration provider seems to pick up my visual studio login. Any pointers on this is helpful
Upvotes: 20
Views: 14921
Answers (3)
Reputation: 59
I read this post ~ month ago. I was looking for answer on the similar question. I found that Docker can run Kubernetes and there is AAD-Pod-Identity https://github.com/Azure/aad-pod-identity which doesn't work for Docker Kubernetes. I forked their repository and make modification for mic component. Now it works for Docker Kubernetes, not sure whether Azure team has plans get these modifications on board or not.
You can get detailed instructions how to get things running here: https://github.com/Wallsmedia/aad-pod-identity
Upvotes: 1
Reputation: 21
One more option, which avoids secret injection, is to use the device code authentication flow to obtain a user_impersonation access token. The downside, the developer must manually complete the flow every time the container starts up.
These posts outline the process, https://joonasw.net/view/device-code-flow https://blog.simonw.se/getting-an-access-token-for-azuread-using-powershell-and-device-login-flow/ Use the powershell clientId to avoid registering a new tenant app. Works like a charm.
Upvotes: 0
Reputation: 1269
I had the same problem with docker and MSI on my mac. I ended up doing the following workaround:
First get an access token from CLI and set it to environment (and remember pass it to docker)
export ACCESS_TOKEN=$(az account get-access-token --resource=https://vault.azure.net | jq -r .accessToken)
In the code, pick it up if token is in environment:
KeyVaultClient keyVaultClient;
var accessToken = Environment.GetEnvironmentVariable("ACCESS_TOKEN");
if (accessToken!=null)
{
keyVaultClient = new KeyVaultClient(
async (string a, string r, string s)=> accessToken);
}
else
{
var azureServiceTokenProvider = new AzureServiceTokenProvider();
keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(
azureServiceTokenProvider.KeyVaultTokenCallback));
}
Upvotes: 9
Related Questions
- How to authenticate with Azure ACR from Azure container app service
- Using Azure Managed Identity in a Docker container running on an Azure VM
- Azure Container Instance Managed (User Assigned) Identity not able to fetch Keyvault secrets
- Multicontainer Azure WebApp not working with Managed Identity
- How to access Azure Keyvault from docker container running locally?
- .NET Core 3.1 Docker in Visual Studio accessing Azure Key Vault
- how to access azure key vault for asp.net core dockerize app using managed identity
- Using Azure Web App for Containers with managed identity
- Azure App Service Container Managed Identity Key Vault in.NET Core C#
- IdentityServer4 in Docker images running on Linux & Azure repositories & authentication issue