使用托管标识从 JAVA Azure 应用服务访问 Azure Key Vault
[英]Accessing Azure Key Vault from JAVA Azure App Service using managed identities
问题描述
I have a spring boot application deployed in Azure App Service that access Azure Key Vault using User Managed identities.
我在 Azure 应用服务中部署了一个 Spring Boot 应用程序,它使用用户管理的身份访问 Azure Key Vault。
I have followed the steps mentioned below:我已按照下面提到的步骤操作:
- Created an User Managed Identity创建用户管理身份
- Deployed the spring boot app in Azure App service在 Azure 应用服务中部署 spring boot 应用
- Added the newly created User Managed Identity to the App service via Identity option通过身份选项将新创建的用户管理身份添加到应用服务
- Added the User Managed Identity as Owner role under Role Assignments of IAM in App Service在应用服务中 IAM 的角色分配下添加了用户管理身份作为所有者角色
- Create Azure Key Vault and added a secret to it创建 Azure Key Vault 并为其添加机密
- Added the User Managed Identity under Access Policies of the newly created Key vault with Get, List, Set permissions in Secret Permissions section在新创建的 Key Vault 的访问策略下添加了用户管理的身份,并在 Secret Permissions 部分中添加了 Get、List、Set 权限
- Added the User Managed Identity as Owner role under Role Assignments of IAM in Key Vault在 Key Vault 中 IAM 的角色分配下添加了用户管理身份作为所有者角色
My Java code to access Key Vault from the application is as follows:我从应用程序访问 Key Vault 的 Java 代码如下:
MSICredentials msiCredentials = new MSICredentials(AzureEnvironment.AZURE);
msiCredentials = msiCredentials.withClientId("client_id");
KeyVaultClient keyVaultClient = new KeyVaultClient(msiCredentials);
SecretBundle secretBundle = keyVaultClient.getSecret("key_vault_base_url","secret_name");
While executing this code in Azure App service deployment, I am getting the following error:在 Azure 应用服务部署中执行此代码时,出现以下错误:
java.net.ConnectException: Connection refused (Connection refused)] with root cause 2020-02-18T10:21:14.800677788Z 2020-02-18T10:21:14.800684689Z java.net.ConnectException: Connection refused (Connection refused) 2020-02-18T10:21:14.800689989Z at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_232] 2020-02-18T10:21:14.800695689Z at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[na:1.8.0_232] 2020-02-18T10:21:14.800700989Z at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[na:1.8.0_232] 2020-02-18T10:21:14.800706089Z at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[na:1.8.0_232] 2020-02-18T10:21:14.800711089Z at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_232] 2020-02-18T10:21:14.800716189Z at java.net.Socket.connect(Socket.java:607) ~[na:1.8.0_232] 2020-02-18T10:21:14.800720890Z at java.net.Socket.connect(Socket.java:556) ~[na:1.8.0_232] 2020-0
Looking at the code of MSICredentials.java in Azure SDK, I could see that the request to following URL - http://169.254.169.254/metadata/identity/oauth2/ is getting refused.查看 Azure SDK 中 MSICredentials.java 的代码,我可以看到对以下 URL 的请求 - http://169.254.169.254/metadata/identity/oauth2/被拒绝。
Could someone guide me on the settings to get away from this issue?有人可以指导我进行设置以摆脱这个问题吗? Am I missing any config?我缺少任何配置吗? Any pointers will be really helpful.任何指针都会非常有帮助。
1 个解决方案
解决方案1
1 已采纳 2020-02-22 16:44:35
Managed to resolve the issue using System Managed Identity rather than User Managed Identity as User Managed Identity doesn't seem to be working with Azure KeyVault currently.管理使用系统管理标识而不是用户管理标识解决问题,因为用户管理标识目前似乎不适用于 Azure KeyVault。
Have created a repo in GitHub that contains the sample code for connecting to Azure resources from AppService using System Managed Identity.在 GitHub 中创建了一个存储库,其中包含使用系统管理标识从 AppService 连接到 Azure 资源的示例代码。 The repo link is as follows -Azure_AppService_ManagedIdentity repo 链接如下 -Azure_AppService_ManagedIdentity
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.