Retrieval of secrets in Azure App Service from Hashicorp Vault using Managed Identity | Missing Role - Error

Question

Hashicorp Vault is the native product of our organization and is a widely used and recommended approach for storing all the key-value pairs or any secrets. Any applications that are deployed on Azure too must store/retrieve the token from Hashicorp Vault and not from the Azure Key Vault. I provided this information just to add a bit of background to the requirement.

Now coming to the actual problem, I deployed the dotnet application on Azure App Service, enable the system-managed identity, and was able to successfully retrieve the JWT token.

As per the flow which I understood by reading the documentation, it says, first retrieve the application token deployed on Azure having System Managed Identity enabled. Once this is done, pass this token for validation to Vault which gets it validated using OIDC from AAD. On successful validation, I will be given back the Vault token which can be used to fetch the secrets from Vault.

To perform these steps configuration is required at the Vault side, for which, I performed all the below steps on the vault server installed on my windows local machine:-

Command line operation

Start the Vault server

Open the other command prompt and set the environment variables set VAULT_ADDR=http://127.0.0.1:8200 set VAULT_TOKEN=s.iDdVbLKPCzmqF2z0RiXPMxLk

vault auth enable jwt

vault write auth/jwt/config oidc_discovery_url=https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/ bound_issuer=https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/

vault read auth/jwt/config Policy associated with the sqlconnection:-

create a role (webapp-role) by using the command

curl --header “X-Vault-Token: %VAULT_TOKEN%” --insecure --request POST --data @C:\Users\48013\source\repos\HashVaultAzure\Vault-files\payload.json %VAULT_ADDR%/v1/auth/jwt/role/webapp-role

–payload.json { “bound_audiences”: “https://management.azure.com/”,
 “bound_claims”: { “idp”:
 “https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/”,
 “oid”: “8d2b99fb-f4f4-4afb-9ee3-276891f40a65”, “tid”:
 “4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/” }, “bound_subject”:
 “8d2b99fb-f4f4-4afb-9ee3-276891f40a65”, “claim_mappings”: { “appid”:
 “application_id”, “xms_mirid”: “resource_id” }, “policies”:
 [“sqlconnection”], “role_type”: “jwt”, “token_bound_cidrs”:
 [“10.0.0.0/16”], “token_max_ttl”: “24h”, “user_claim”: “sub” }

Vault read auth/jwt/role/webapp-role

Run the command below with the JWT token retrieved from the application (having the managed identity enabled) deployed on Azure AAD and pass it as “your_jwt”. This command should return the vault token as shown in the link https://www.vaultproject.io/docs/auth/jwt

curl --request POST --data '{"jwt": "your_jwt", "role": "webapp-role"}' http://127.0.0.1:8200/v1/auth/jwt/login

At this point I receive an error – “Missing Role”,

I am stuck here and not able to find any solution.

Expected response should be a vault token/client_token as shown:-

JWT Token decoded information

 {
  "aud": "https://management.azure.com",
  "iss": "https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/",
  "iat": 1631172032,
  "nbf": 1631172032,
  "exp": 1631258732,
  "aio": "E2ZgYNBN4JVfle92Tsl1b8m8pc9jAA==",
  "appid": "cf5c734c-a4fd-4d85-8049-53de46db4ec0",
  "appidacr": "2",
  "idp": "https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/",
  "oid": "8d2b99fb-f4f4-4afb-9ee3-276891f40a65",
  "rh": "0.AVMAb_GVSro1Ukqcs38wDNwMYExzXM_9pIVNgElT3kbbTsBTAAA.",
  "sub": "8d2b99fb-f4f4-4afb-9ee3-276891f40a65",
  "tid": "4a95f16f-35ba-4a52-9cb3-7f300cdc0c60",
  "uti": "LDjkUZdlKUS4paEleUUFAA",
  "ver": "1.0",
  "xms_mirid": "/subscriptions/0edeaa4a-d371-4fa8-acbd-3675861b0ac8/resourcegroups/AzureAADResource/providers/Microsoft.Web/sites/hashvault-test",
  "xms_tcdt": "1600006540"
}

Retrieval of secrets in Azure App Service from Hashicorp Vault using Managed Identity | Missing Role - Error

Answers (1)

Related Questions