[英]Accessing Azure Key Vault from JAVA Azure App Service using managed identities
I have a spring boot application deployed in Azure App Service that access Azure Key Vault using User Managed identities.我在 Azure 应用服务中部署了一个 Spring Boot 应用程序,它使用用户管理的身份访问 Azure Key Vault。
I have followed the steps mentioned below:我已按照下面提到的步骤操作:
My Java code to access Key Vault from the application is as follows:我从应用程序访问 Key Vault 的 Java 代码如下:
MSICredentials msiCredentials = new MSICredentials(AzureEnvironment.AZURE);
msiCredentials = msiCredentials.withClientId("client_id");
KeyVaultClient keyVaultClient = new KeyVaultClient(msiCredentials);
SecretBundle secretBundle = keyVaultClient.getSecret("key_vault_base_url","secret_name");
While executing this code in Azure App service deployment, I am getting the following error:在 Azure 应用服务部署中执行此代码时,出现以下错误:
java.net.ConnectException: Connection refused (Connection refused)] with root cause 2020-02-18T10:21:14.800677788Z 2020-02-18T10:21:14.800684689Z java.net.ConnectException: Connection refused (Connection refused) 2020-02-18T10:21:14.800689989Z at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_232] 2020-02-18T10:21:14.800695689Z at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[na:1.8.0_232] 2020-02-18T10:21:14.800700989Z at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[na:1.8.0_232] 2020-02-18T10:21:14.800706089Z at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[na:1.8.0_232] 2020-02-18T10:21:14.800711089Z at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_232] 2020-02-18T10:21:14.800716189Z at java.net.Socket.connect(Socket.java:607) ~[na:1.8.0_232] 2020-02-18T10:21:14.800720890Z at java.net.Socket.connect(Socket.java:556) ~[na:1.8.0_232] 2020-0
java.net.ConnectException:连接被拒绝(连接被拒绝)],根本原因是 2020-02-18T10:21:14.800677788Z 2020-02-18T10:21:14.800684689Z java.net.ConnectException:连接被拒绝(连接被拒绝)2020 02-18T10:21:14.800689989Z at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_232] 2020-02-18T10:21:14.800695689Z at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_232] :350) ~[na:1.8.0_232] 2020-02-18T10:21:14.800700989Z 在 java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[na:1.8.02_012010T] 21:14.800706089Z 在 java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[na:1.8.0_232] 2020-02-18T10:21:14.800711089Z 在 java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[na:1.8.0_232] 392) ~[na:1.8.0_232] 2020-02-18T10:21:14.800716189Z 在 java.net.Socket.connect(Socket.java:607) ~[na:1.8.0_232] 2020-02-18T10:2 :14.800720890Z 在 java.net.Socket.connect(Socket.java:556) ~[na:1.8.0_232] 2020-0 2-18T10:21:14.800725790Z at sun.net.NetworkClient.doConnect(NetworkClient.java:180) ~[na:1.8.0_232] 2020-02-18T10:21:14.800730590Z at sun.net.www.http.HttpClient.openServer(HttpClient.java:463) ~[na:1.8.0_232] 2020-02-18T10:21:14.800735490Z at sun.net.www.http.HttpClient.openServer(HttpClient.java:558) ~[na:1.8.0_232] 2020-02-18T10:21:14.800740290Z at sun.net.www.http.HttpClient.(HttpClient.java:242) ~[na:1.8.0_232] 2020-02-18T10:21:14.800745390Z at sun.net.www.http.HttpClient.New(HttpClient.java:339) ~[na:1.8.0_232] 2020-02-18T10:21:14.800750191Z at sun.net.www.http.HttpClient.New(HttpClient.java:357) ~[na:1.8.0_232] 2020-02-18T10:21:14.800755291Z at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1226) ~[na:1.8.0_232] 2020-02-18T10:21:14.800760191Z at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1162) ~[na:1.8.0_232] 2020-02-18T10:21:14.800765091Z at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpUR
2-18T10:21:14.800725790Z at sun.net.NetworkClient.doConnect(NetworkClient.java:180) ~[na:1.8.0_232] 2020-02-18T10:21:14.800730590Z http at sun.net.www. HttpClient.openServer(HttpClient.java:463) ~[na:1.8.0_232] 2020-02-18T10:21:14.800735490Z 在 sun.net.www.http.HttpClient.openServer(HttpClient.java:558) ~[na :1.8.0_232] 2020-02-18T10:21:14.800740290Z 在 sun.net.www.http.HttpClient.(HttpClient.java:242) ~[na:1.8.0_232] 2020-02-18T10.8301:2020 Z at sun.net.www.http.HttpClient.New(HttpClient.java:339) ~[na:1.8.0_232] 2020-02-18T10:21:14.800750191Z at sun.net.www.http.HttpClient.New (HttpClient.java:357) ~[na:1.8.0_232] 2020-02-18T10:21:14.800755291Z at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1226) ~[na: 1.8.0_232] 2020-02-18T10:21:14.800760191Z 在 sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1162) ~[na:1.8.0_232] 2020-102-2021T :14.800765091Z 在 sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpUR LConnection.java:1056) ~[na:1.8.0_232] 2020-02-18T10:21:14.800769991Z at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:990) ~[na:1.8.0_232] 2020-02-18T10:21:14.800784292Z at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570) ~[na:1.8.0_232] 2020-02-18T10:21:14.800790492Z at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498) ~[na:1.8.0_232] 2020-02-18T10:21:14.800795392Z at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) ~[na:1.8.0_232] 2020-02-18T10:21:14.800800192Z at com.microsoft.azure.credentials.MSICredentials.retrieveTokenFromIDMSWithRetry(MSICredentials.java:269) ~[azure-client-authentication-1.6.12.jar!/:na] 2020-02-18T10:21:14.800804992Z at com.microsoft.azure.credentials.MSICredentials.getTokenFromIMDSEndpoint(MSICredentials.java:205) ~[azure-client-authentication-1.6.12.jar!/:na] 2020-02-18T10:21:14.800809692Z at com.microsoft.azure.credentials.MSICr
LConnection.java:1056) ~[na:1.8.0_232] 2020-02-18T10:21:14.800769991Z 在 sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:990) ~[na:1.8 .0_232] 2020-02-18T10:21:14.800784292Z 在 sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570) ~[na:1.8.0_232] 2020-02-18T1 14.800790492Z at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498) ~[na:1.8.0_232] 2020-02-18T10:21:14.800795392Z at java.getResponseCode(HttpURLConnection.java:1492Z) HttpURLConnection.java:480) ~[na:1.8.0_232] 2020-02-18T10:21:14.800800192Z 位于 com.microsoft.azure.credentials.MSICredentials.retrieveTokenFromIDMSWithRetry(MSICredentials.java:26-au-thenazure-client) -1.6.12.jar!/:na] 2020-02-18T10:21:14.800804992Z 在 com.microsoft.azure.credentials.MSICredentials.getTokenFromIMDSEndpoint(MSICredentials.java:205) ~[azure-client-authentication- 12.jar!/:na] 2020-02-18T10:21:14.800809692Z 在 com.microsoft.azure.credentials.MSICr edentials.getToken(MSICredentials.java:146) ~[azure-client-authentication-1.6.12.jar!/:na] 2020-02-18T10:21:14.800814392Z at com.microsoft.azure.credentials.AzureTokenCredentials.getToken(AzureTokenCredentials.java:74) ~[azure-client-runtime-1.6.12.jar!/:na] 2020-02-18T10:21:14.800819093Z at com.microsoft.azure.credentials.AzureTokenCredentialsInterceptor.intercept(AzureTokenCredentialsInterceptor.java:36) ~[azure-client-runtime-1.6.12.jar!/:na]
edentials.getToken(MSICredentials.java:146) ~[azure-client-authentication-1.6.12.jar!/:na] 2020-02-18T10:21:14.800814392Z at com.microsoft.azure.credentials.AzureTokenCredentials.AzureTokenCredential (AzureTokenCredentials.java:74) ~[azure-client-runtime-1.6.12.jar!/:na] 2020-02-18T10:21:14.800819093Z at com.microsoft.azure.credentials.AzureTokenCredentialsInterceptor.TokenCredentialsInterceptor.TokenCredentials(AzureTokenCredentials.java:74) java:36) ~[azure-client-runtime-1.6.12.jar!/:na]
Looking at the code of MSICredentials.java in Azure SDK, I could see that the request to following URL - http://169.254.169.254/metadata/identity/oauth2/ is getting refused.查看 Azure SDK 中 MSICredentials.java 的代码,我可以看到对以下 URL 的请求 - http://169.254.169.254/metadata/identity/oauth2/被拒绝。
Could someone guide me on the settings to get away from this issue?有人可以指导我进行设置以摆脱这个问题吗? Am I missing any config?
我缺少任何配置吗? Any pointers will be really helpful.
任何指针都会非常有帮助。
Managed to resolve the issue using System Managed Identity rather than User Managed Identity as User Managed Identity doesn't seem to be working with Azure KeyVault currently.管理使用系统管理标识而不是用户管理标识解决问题,因为用户管理标识目前似乎不适用于 Azure KeyVault。
Have created a repo in GitHub that contains the sample code for connecting to Azure resources from AppService using System Managed Identity.在 GitHub 中创建了一个存储库,其中包含使用系统管理标识从 AppService 连接到 Azure 资源的示例代码。 The repo link is as follows -Azure_AppService_ManagedIdentity
repo 链接如下 -Azure_AppService_ManagedIdentity
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.