CODEWITHSUNDEEP
azureazure-active-directoryazure-web-app-serviceazure-keyvaultazure-managed-identity
Gandhi
Gandhi

Reputation: 11935

Accessing Azure Key Vault from JAVA Azure App Service using managed identities

I have a spring boot application deployed in Azure App Service that access Azure Key Vault using User Managed identities.

I have followed the steps mentioned below:

  1. Created an User Managed Identity
  2. Deployed the spring boot app in Azure App service
  3. Added the newly created User Managed Identity to the App service via Identity option
  4. Added the User Managed Identity as Owner role under Role Assignments of IAM in App Service
  5. Create Azure Key Vault and added a secret to it
  6. Added the User Managed Identity under Access Policies of the newly created Key vault with Get, List, Set permissions in Secret Permissions section
  7. Added the User Managed Identity as Owner role under Role Assignments of IAM in Key Vault

My Java code to access Key Vault from the application is as follows:

MSICredentials msiCredentials = new MSICredentials(AzureEnvironment.AZURE);
msiCredentials = msiCredentials.withClientId("client_id");
KeyVaultClient keyVaultClient = new KeyVaultClient(msiCredentials);
SecretBundle secretBundle = keyVaultClient.getSecret("key_vault_base_url","secret_name");

While executing this code in Azure App service deployment, I am getting the following error:

java.net.ConnectException: Connection refused (Connection refused)] with root cause 2020-02-18T10:21:14.800677788Z 2020-02-18T10:21:14.800684689Z java.net.ConnectException: Connection refused (Connection refused) 2020-02-18T10:21:14.800689989Z at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_232] 2020-02-18T10:21:14.800695689Z at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[na:1.8.0_232] 2020-02-18T10:21:14.800700989Z at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[na:1.8.0_232] 2020-02-18T10:21:14.800706089Z at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[na:1.8.0_232] 2020-02-18T10:21:14.800711089Z at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_232] 2020-02-18T10:21:14.800716189Z at java.net.Socket.connect(Socket.java:607) ~[na:1.8.0_232] 2020-02-18T10:21:14.800720890Z at java.net.Socket.connect(Socket.java:556) ~[na:1.8.0_232] 2020-02-18T10:21:14.800725790Z at sun.net.NetworkClient.doConnect(NetworkClient.java:180) ~[na:1.8.0_232] 2020-02-18T10:21:14.800730590Z at sun.net.www.http.HttpClient.openServer(HttpClient.java:463) ~[na:1.8.0_232] 2020-02-18T10:21:14.800735490Z at sun.net.www.http.HttpClient.openServer(HttpClient.java:558) ~[na:1.8.0_232] 2020-02-18T10:21:14.800740290Z at sun.net.www.http.HttpClient.(HttpClient.java:242) ~[na:1.8.0_232] 2020-02-18T10:21:14.800745390Z at sun.net.www.http.HttpClient.New(HttpClient.java:339) ~[na:1.8.0_232] 2020-02-18T10:21:14.800750191Z at sun.net.www.http.HttpClient.New(HttpClient.java:357) ~[na:1.8.0_232] 2020-02-18T10:21:14.800755291Z at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1226) ~[na:1.8.0_232] 2020-02-18T10:21:14.800760191Z at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1162) ~[na:1.8.0_232] 2020-02-18T10:21:14.800765091Z at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1056) ~[na:1.8.0_232] 2020-02-18T10:21:14.800769991Z at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:990) ~[na:1.8.0_232] 2020-02-18T10:21:14.800784292Z at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570) ~[na:1.8.0_232] 2020-02-18T10:21:14.800790492Z at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498) ~[na:1.8.0_232] 2020-02-18T10:21:14.800795392Z at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) ~[na:1.8.0_232] 2020-02-18T10:21:14.800800192Z at com.microsoft.azure.credentials.MSICredentials.retrieveTokenFromIDMSWithRetry(MSICredentials.java:269) ~[azure-client-authentication-1.6.12.jar!/:na] 2020-02-18T10:21:14.800804992Z at com.microsoft.azure.credentials.MSICredentials.getTokenFromIMDSEndpoint(MSICredentials.java:205) ~[azure-client-authentication-1.6.12.jar!/:na] 2020-02-18T10:21:14.800809692Z at com.microsoft.azure.credentials.MSICredentials.getToken(MSICredentials.java:146) ~[azure-client-authentication-1.6.12.jar!/:na] 2020-02-18T10:21:14.800814392Z at com.microsoft.azure.credentials.AzureTokenCredentials.getToken(AzureTokenCredentials.java:74) ~[azure-client-runtime-1.6.12.jar!/:na] 2020-02-18T10:21:14.800819093Z at com.microsoft.azure.credentials.AzureTokenCredentialsInterceptor.intercept(AzureTokenCredentialsInterceptor.java:36) ~[azure-client-runtime-1.6.12.jar!/:na]

Looking at the code of MSICredentials.java in Azure SDK, I could see that the request to following URL - http://169.254.169.254/metadata/identity/oauth2/ is getting refused.

Could someone guide me on the settings to get away from this issue? Am I missing any config? Any pointers will be really helpful.

Upvotes: 0

Views: 1871

Answers (1)

Gandhi
Gandhi

Reputation: 11935

Managed to resolve the issue using System Managed Identity rather than User Managed Identity as User Managed Identity doesn't seem to be working with Azure KeyVault currently.

Have created a repo in GitHub that contains the sample code for connecting to Azure resources from AppService using System Managed Identity. The repo link is as follows - Azure_AppService_ManagedIdentity

Upvotes: 1

Related Questions