0

Followed this documentation:

https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/keyvault/azure-security-keyvault-secrets/README.md

I get the error:

AADSTS900382: Confidential Client is not supported in Cross Cloud request

Note that this is with government cloud.

Is it just the case that the Java app must be hosted on the same server in the cloud as azure key vault? Because that doesn't really make sense to me.

Keith Waddell
  • 13
  • 2

1 Answers1

0

Regarding the issue, that is because all of the SDKs default to using https://login.microsoftonline.com as the Azure Active Directory authority host. Each of the other clouds have different authority host endpoints. So we need to change authority host when we create DefaultAzureCredential.

For example. I use the sdk Azure Identity Version 1.1.0-beta.4

  1. Install SDK
<dependencies>
  <dependency>
    <groupId>com.azure</groupId>
    <artifactId>azure-identity</artifactId>
    <version>1.1.0-beta.4</version>
  </dependency>
</dependencies>
  1. Code
/** 
 * the class `KnownAuthorityHosts` has the all cloud Azure Active Directory authority enpoint :
 * https://learn.microsoft.com/en-us/java/api/com.azure.identity.knownauthorityhosts?view=azure-java-preview
*/
DefaultAzureCredential cred = new DefaultAzureCredentialBuilder().
                 authorityHost(KnownAuthorityHosts.AZURE_US_GOVERNMENT)
                 .build();
SecretClient client = new SecretClientBuilder()
        .vaultUrl(<your-vault-url>)
        .credential(cred )
        .buildClient();

For more details, please refer to the article

Jim Xu
  • 21,610
  • 2
  • 19
  • 39
  • I missed that this is Java. I followed the article for .NET and that works! Thank you! For any other C# people, `KeyClient` is now `SecretClient`. – jspinella Mar 24 '21 at 22:25