stackoom
  简体   繁体   中英

Retrieval of secrets in Azure App Service from Hashicorp Vault using Managed Identity | Missing Role - Error

 原文  2021-09-08 14:08:02       jwt/ azure-functions/ azure-web-app-service/ hashicorp-vault/ azure-managed-identity

Question

Hashicorp Vault is the native product of our organization and is a widely used and recommended approach for storing all the key-value pairs or any secrets. Any applications that are deployed on Azure too must store/retrieve the token from Hashicorp Vault and not from the Azure Key Vault. I provided this information just to add a bit of background to the requirement.

Now coming to the actual problem, I deployed the do.net application on Azure App Service, enable the system-managed identity, and was able to successfully retrieve the JWT token.

As per the flow which I understood by reading the documentation, it says, first retrieve the application token deployed on Azure having System Managed Identity enabled. Once this is done, pass this token for validation to Vault which gets it validated using OIDC from AAD. On successful validation, I will be given back the Vault token which can be used to fetch the secrets from Vault.

To perform these steps configuration is required at the Vault side, for which, I performed all the below steps on the vault server installed on my windows local machine:-

Command line operation

  1. Start the Vault server

  2. Open the other command prompt and set the environment variables set VAULT_ADDR=http://127.0.0.1:8200 set VAULT_TOKEN=s.iDdVbLKPCzmqF2z0RiXPMxLk

  3. vault auth enable jwt

  4. vault write auth/jwt/config oidc_discovery_url=https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/ bound_issuer=https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/

  5. vault read auth/jwt/config在此处输入图像描述 Policy associated with the sqlconnection:-

在此处输入图像描述

create a role (webapp-role) by using the command

curl --header “X-Vault-Token: %VAULT_TOKEN%” --insecure --request POST --data @C:\Users\48013\source\repos\HashVaultAzure\Vault-files\payload.json %VAULT_ADDR%/v1/auth/jwt/role/webapp-role 

–payload.json { “bound_audiences”: “https://management.azure.com/”,
 “bound_claims”: { “idp”:
 “https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/”,
 “oid”: “8d2b99fb-f4f4-4afb-9ee3-276891f40a65”, “tid”:
 “4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/” }, “bound_subject”:
 “8d2b99fb-f4f4-4afb-9ee3-276891f40a65”, “claim_mappings”: { “appid”:
 “application_id”, “xms_mirid”: “resource_id” }, “policies”:
 [“sqlconnection”], “role_type”: “jwt”, “token_bound_cidrs”:
 [“10.0.0.0/16”], “token_max_ttl”: “24h”, “user_claim”: “sub” }

Vault read auth/jwt/role/webapp-role

在此处输入图像描述

  1. Run the command below with the JWT token retrieved from the application (having the managed identity enabled) deployed on Azure AAD and pass it as “your_jwt”. This command should return the vault token as shown in the link https://www.vaultproject.io/docs/auth/jwt

curl --request POST --data '{"jwt": "your_jwt", "role": "webapp-role"}' http://127.0.0.1:8200/v1/auth/jwt/login

At this point I receive an error – “Missing Role”,

在此处输入图像描述 I am stuck here and not able to find any solution.

Expected response should be a vault token/client_token as shown:-

在此处输入图像描述

JWT Token decoded information 

 {
  "aud": "https://management.azure.com",
  "iss": "https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/",
  "iat": 1631172032,
  "nbf": 1631172032,
  "exp": 1631258732,
  "aio": "E2ZgYNBN4JVfle92Tsl1b8m8pc9jAA==",
  "appid": "cf5c734c-a4fd-4d85-8049-53de46db4ec0",
  "appidacr": "2",
  "idp": "https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/",
  "oid": "8d2b99fb-f4f4-4afb-9ee3-276891f40a65",
  "rh": "0.AVMAb_GVSro1Ukqcs38wDNwMYExzXM_9pIVNgElT3kbbTsBTAAA.",
  "sub": "8d2b99fb-f4f4-4afb-9ee3-276891f40a65",
  "tid": "4a95f16f-35ba-4a52-9cb3-7f300cdc0c60",
  "uti": "LDjkUZdlKUS4paEleUUFAA",
  "ver": "1.0",
  "xms_mirid": "/subscriptions/0edeaa4a-d371-4fa8-acbd-3675861b0ac8/resourcegroups/AzureAADResource/providers/Microsoft.Web/sites/hashvault-test",
  "xms_tcdt": "1600006540"
}

1 answers

solution1
 0  2021-09-15 11:02:59

The issue was with the missing configuration both at the Azure Cloud and Vault side. These were the addition steps done further to make it work.

Create an Azure SPN (which is equal to creating an app registration with client secret)

az ad sp create-for-rbac --name "Hashicorp Vault Prod AzureSPN" --skip-assignment Assign as Reader on subscription

Create Vault config

vault auth enable azure vault write auth/jwt/config tenant_id=lg240e12-76g1-748b-cd9c-je6f29562476 resource=https://management.azure.com/ client_id=34906a49- 9a8f-462b-9d68-33ae40hgf8ug client_secret=123456ABCDEF

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Call Graph from Azure App Service using Managed Identity Host HashiCorp Vault in Azure App Services Azure AKS/Container App can't access Key vault using managed identity Azure oAuth token retrieval with user managed identity Access CosmosDB Data from Azure App Service by using managed identity (Failed) How to get the secrets from Azure Key Vault Using Azure SQL? Using a managed identity with Azure Service Bus Unable to post message to Azure Service Bus Queue from Azure API using Managed Identity MassTransit: Cannot access Azure Service Bus using managed Identity Logic App query Azure Table using HTTP and Managed Identity authentication
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM