1

I have enabled the System generated Managed Service Identity for my Azure Linux server and I have also granted this VM access to a Key Vault. I have verified this is working by using curl on the command line to retrieve a token, then use the token to retrieve a secret from the vault.

I need to perform this same task in my Java program but the current way I am doing is is blocking. Here is my code lifted from another Stackoverflow post:

    LOGGER.debug("Getting credentials through Managed Service Identity");
    AppServiceMSICredentials credentials = new AppServiceMSICredentials(AzureEnvironment.AZURE);
    LOGGER.debug("Credentials acquired");
    KeyVaultClient keyVaultClient =  new KeyVaultClient(credentials);
    LOGGER.debug("Key Vault client created");

The code blocks on the line trying to acquire the credentials so all I see in the log is "Getting credentials through Managed Service Identity".

Is this the correct way to get the credentials? If so, any idea why this line is blocking?

plex4r
  • 243
  • 1
  • 2
  • 15

1 Answers1

0

Take a look at this documentation link: https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-java

Arturo Lucatero - MSFT
  • 291
  • 1
  • 9
  • I have used that way to retrieve the token, but I continue to get a 401 when I try to access the vault using that token event though access works using curl. I have tried to create a KeyVaultClient with this token but I still get a 401 for this when I try to call getSecret: KeyVaultClient keyVaultClient = new KeyVaultClient( new TokenCredentials(null, securityToken)); secretBundle = keyVaultClient.getSecret(keyVaultUrl, secretName); – plex4r Jan 11 '19 at 15:45
  • I cycled my VM, added some more debug statements, redeployed and now it works. That is retrieving the token in the link from Arturo, then accessing the key vault as in my previous comment. There is one change I had to use this link to get the token for Key Vault access: http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://vault.azure.net/. Note the vault.azure.net at the end. – plex4r Jan 11 '19 at 17:14