fortanu82
fortanu82

Reputation: 481

Retrieval of secrets in Azure App Service from Hashicorp Vault using Managed Identity | Missing Role - Error

Hashicorp Vault is the native product of our organization and is a widely used and recommended approach for storing all the key-value pairs or any secrets. Any applications that are deployed on Azure too must store/retrieve the token from Hashicorp Vault and not from the Azure Key Vault. I provided this information just to add a bit of background to the requirement.

Now coming to the actual problem, I deployed the dotnet application on Azure App Service, enable the system-managed identity, and was able to successfully retrieve the JWT token.

As per the flow which I understood by reading the documentation, it says, first retrieve the application token deployed on Azure having System Managed Identity enabled. Once this is done, pass this token for validation to Vault which gets it validated using OIDC from AAD. On successful validation, I will be given back the Vault token which can be used to fetch the secrets from Vault.

To perform these steps configuration is required at the Vault side, for which, I performed all the below steps on the vault server installed on my windows local machine:-

Command line operation

  1. Start the Vault server

  2. Open the other command prompt and set the environment variables set VAULT_ADDR=http://127.0.0.1:8200 set VAULT_TOKEN=s.iDdVbLKPCzmqF2z0RiXPMxLk

  3. vault auth enable jwt

  4. vault write auth/jwt/config oidc_discovery_url=https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/ bound_issuer=https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/

  5. vault read auth/jwt/config enter image description here Policy associated with the sqlconnection:-

enter image description here

create a role (webapp-role) by using the command

curl --header “X-Vault-Token: %VAULT_TOKEN%” --insecure --request POST --data @C:\Users\48013\source\repos\HashVaultAzure\Vault-files\payload.json %VAULT_ADDR%/v1/auth/jwt/role/webapp-role

–payload.json { “bound_audiences”: “https://management.azure.com/”,
 “bound_claims”: { “idp”:
 “https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/”,
 “oid”: “8d2b99fb-f4f4-4afb-9ee3-276891f40a65”, “tid”:
 “4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/” }, “bound_subject”:
 “8d2b99fb-f4f4-4afb-9ee3-276891f40a65”, “claim_mappings”: { “appid”:
 “application_id”, “xms_mirid”: “resource_id” }, “policies”:
 [“sqlconnection”], “role_type”: “jwt”, “token_bound_cidrs”:
 [“10.0.0.0/16”], “token_max_ttl”: “24h”, “user_claim”: “sub” }

Vault read auth/jwt/role/webapp-role

enter image description here

  1. Run the command below with the JWT token retrieved from the application (having the managed identity enabled) deployed on Azure AAD and pass it as “your_jwt”. This command should return the vault token as shown in the link https://www.vaultproject.io/docs/auth/jwt

curl --request POST --data '{"jwt": "your_jwt", "role": "webapp-role"}' http://127.0.0.1:8200/v1/auth/jwt/login

At this point I receive an error – “Missing Role”,

enter image description here I am stuck here and not able to find any solution.

Expected response should be a vault token/client_token as shown:-

enter image description here

JWT Token decoded information

 {
  "aud": "https://management.azure.com",
  "iss": "https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/",
  "iat": 1631172032,
  "nbf": 1631172032,
  "exp": 1631258732,
  "aio": "E2ZgYNBN4JVfle92Tsl1b8m8pc9jAA==",
  "appid": "cf5c734c-a4fd-4d85-8049-53de46db4ec0",
  "appidacr": "2",
  "idp": "https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/",
  "oid": "8d2b99fb-f4f4-4afb-9ee3-276891f40a65",
  "rh": "0.AVMAb_GVSro1Ukqcs38wDNwMYExzXM_9pIVNgElT3kbbTsBTAAA.",
  "sub": "8d2b99fb-f4f4-4afb-9ee3-276891f40a65",
  "tid": "4a95f16f-35ba-4a52-9cb3-7f300cdc0c60",
  "uti": "LDjkUZdlKUS4paEleUUFAA",
  "ver": "1.0",
  "xms_mirid": "/subscriptions/0edeaa4a-d371-4fa8-acbd-3675861b0ac8/resourcegroups/AzureAADResource/providers/Microsoft.Web/sites/hashvault-test",
  "xms_tcdt": "1600006540"
}

Upvotes: 0

Views: 1059

Answers (1)

fortanu82
fortanu82

Reputation: 481

The issue was with the missing configuration both at the Azure Cloud and Vault side. These were the addition steps done further to make it work.

Create an Azure SPN (which is equal to creating an app registration with client secret)

az ad sp create-for-rbac --name "Hashicorp Vault Prod AzureSPN" --skip-assignment Assign as Reader on subscription

Create Vault config

vault auth enable azure vault write auth/jwt/config tenant_id=lg240e12-76g1-748b-cd9c-je6f29562476 resource=https://management.azure.com/ client_id=34906a49- 9a8f-462b-9d68-33ae40hgf8ug client_secret=123456ABCDEF

Upvotes: 0

Related Questions