Reputation: 118
Spring cloud config vault with azure authentication : failed to read config on AKS
I am trying to achieve the following:
Able to use Azure user assigned managed identity(UAMI) to authenticate to vault(deployed on azure) from a spring boot application(deployed within AKS)
Stack : openjdk 8 , spring boot 2.5.4 , spring-cloud-starter-vault-config 3.0.3, AKS
I have hashicorp vault installed on azure. The below document suggest I can use UAMI in this case to authenticate to vault. referring to https://cloud.spring.io/spring-cloud-vault/reference/html/
Spring boot application config :
application.yml:
server:
port: 8090
spring:
application:
name: my application-service
cloud:
config:
import: vault://secret/somepath_to_secrets
vault:
uri: https://my-vault-uri
scheme: https
namespace: myapp
authentication: AZURE_MSI
azure-msi:
role: pod_identity_role_name
This works a bit ok on my local as the logs says it trying to hit the vault URI mentioned above and make connection and of course I can not test this on local end to end due to azure MSI . I am using user assigned Managed identity(UAMI).
But when i deploy this to Azure Kubernetes cluster , it gives me the following error and doesn't even try to connect to vault. Seems like it is expecting authentication as token:
Error creating bean with name 'clientAuthentication' defined in class path resource
caused by java.lang.IllegalArgumentException: Token(spring.cloud.vault.token) must not be empty
This is not making sense to me as local and AKS logs are totally different. I have root certs in my JKS on both local and AKS .
Could someone please help me on this. I have looked out various documents but all seems to be old.
Upvotes: 0
Views: 658
Answers (1)
Reputation: 3119
As per the below document Integrating Hashicorp Vault with Azure AKS using Azure POD Identity - Arctiq, you can integrate your Hashicorp vault with AKS. You can generate an Authentication Token from the AKS to authenticate the Hashicorp vault.
Azure AD Pod Identity allows you to bind Pods to an Azure Identity that is managed outside of your cluster. Vault can be configured to use Azure AD as identity provider, which will enable your containerized applications in AKS to consume secrets in Vault without any code modifications.
Enable Azure AD Pod Identity on your AKS.
Create an Azure Identity.
Deploy the Azure Identity to AKS.
Deploy the Hashicorp vault to AKS
Verify Azure Identity Binding
From inside the pod session, grab the token from Azure Metadata service and then use the JWT token to authenticate with Vault
Upvotes: 0
Related Questions
- Spring Cloud Vault: Token (spring.cloud.vault.token) must not be empty
- Integrating Spring Cloud Config Server with vault backend giving I/O error on GET request with connection refused
- Forbidden errors at app initialization when using spring cloud vault
- Unable to instantiate VaultConfigDataLoader
- Spring Cloud Vault With k2 v2 - How to Avoid 403 at Startup?
- Spring Boot & Vault: incomplete context initialization issue
- Kubernetes to Vault Authentication Failure
- How to use non-root vault token for vault login in spring boot
- Vault error while writing
- Securing spring cloud config credentials using vault