Reputation: 976
How to grant all users of a CLI application with `DeviceCodeCredential` access to resources granted to the application?
I'm writing a CLI application for our developers to use for administrative tasks. The intention is for the CLI to pull in secrets etc. from an Azure Key Vault using the Key Vault SDK. Given that it's an internal but "consumer facing" CLI, I don't want to distribute secrets. Therefore, I've opted to use a DeviceCodeCredential.
This works well. However, after approving the login with my user account, it seems that the application is using my identity rather than the application identity (app registration). Unfortunately, this means I'm receiving an access denied error on the key vault despite having added the application as a "Key Vault Secrets User". While I could simply add my own identity or a custom group to the key vault, I would much prefer having a single point of failure via the application identity.
Is there a way to have my application use the application identity instead? I'm using Azure's Identity Client Library for Java.
Upvotes: 0
Views: 85
Answers (1)
Reputation: 22597
Note that, DeviceCodeCredential flow involves user interaction that works on signed-in user's roles. If you want to use the application identity instead, switch to client credentials flow.
Initially, I registered one Microsoft Entra ID application with client secret as below:
Now, I added "Key Vault Secrets User" role to that application under Azure Key Vault like this:
I created one secret named secret01 in Azure Key Vault with below value:
To retrieve this secret value by authenticating as an application identity, I used below sample Java code and got response successfully:
package org.example;
import com.azure.identity.ClientSecretCredential;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.SecretClientBuilder;
public class KeyVaultAccess {
public static void main(String[] args) {
String clientId = "appId";
String clientSecret = "clientSecret";
String tenantId = "tenantId";
String keyVaultUrl = "https://kvname.vault.azure.net";
ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
.clientId(clientId)
.clientSecret(clientSecret)
.tenantId(tenantId)
.build();
SecretClient secretClient = new SecretClientBuilder()
.vaultUrl(keyVaultUrl)
.credential(clientSecretCredential)
.buildClient();
String secretName = "secret01";
try {
String secretValue = secretClient.getSecret(secretName).getValue();
System.out.println("Secret value: " + secretValue);
} catch (Exception e) {
System.err.println("Failed to retrieve the secret: " + e.getMessage());
}
}
}
Response:
Reference: ClientSecretCredential Class | Microsoft
UPDATE:
If using client credentials flow violates your requirement, you have to add those users to one group and assign role to group under Azure Key Vault as an alternative.
Upvotes: 0
Related Questions
- How to give azure key vault portal access when public access is disabled
- Azure Key Vault loses the name of my application within the Access policies
- How to access Key Vault from a C++ application
- Access Azure Key Vault with Managed Identity on Azure Batch running .NET Console Application
- Login to Azure CLI with MFA
- Using a certificate to grant an application access to Azure Key Vault
- How to enable "system assigned" identity and update the key vault to add new access policy azure cli
- How to use compound identity to authenticate with Azure to access Azure Key Vault
- How to grant VM access to Key Vault in the same ARM template
- Terraform grant azure function app with msi access to azure keyvault