0

Call to return Secret from KeyVault via SecretClient using Managed Identity Credentials does not return from Java call

I am running Ubuntu on a Linux VM in the Azure cloud. This VM has the System Assigned Identity set to "on". My key vault has granted the role of "Key Vault Administrator" to my VM.

My Java code below is taken from the example at https://github.com/Azure/azure-sdk-for-java/wiki/Azure-Identity-Examples The output is shown below. I have debug set on for com.azure. When it creates the credential, I get one line of output from the Azure SDK code looking for environment variables.

LOGGER.debug("Retrieve Credentials from Azure");
KeyVaultSecret keyVaultSecret = null;
try {
    String keyVaultURL = "https://" + uCCVMAttributesUpdate.getAzureKeyVault() + 
           AZURE_KEYVAULT_SUFFIX;
    LOGGER.debug("keyVaultURL<" + keyVaultURL + ">");
    
    SecretClient secretClient = new SecretClientBuilder()
         .httpLogOptions(new HttpLogOptions().setLogLevel(HttpLogDetailLevel.BODY_AND_HEADERS))
         .vaultUrl( keyVaultURL )
         .credential (new ManagedIdentityCredentialBuilder().build() )
         .buildClient();
    LOGGER.debug("SecretClient created");
    keyVaultSecret = secretClient.getSecret(AZURE_SECRET_NAME);
    LOGGER.debug("Secrets retrieved");
} catch (Exception e) {
    LOGGER.error("Caught exception reading Azure secrets", e);

}

Output:

2021-03-22 15:21:48 - [pool-3-thread-1][DEBUG][com.impl.ServiceImpl] - Retrieve Credentials from Azure 2021-03-22 15:21:48 - [pool-3-thread-1][DEBUG][com.impl.ServiceImpl] - keyVaultURLhttps://KeyVaultName.vault.azure.net/ 2021-03-22 15:21:48 - [pool-3-thread-1][DEBUG][com.azure.core.util.logging.ClientLogger] - Azure Identity => Found the following environment variables:

Does anyone know what the issue could be, or what else I could do to get more debug?

I need to fingure out why the call is not returning, throwing an exception, or outputting more debug. Also, I do not understand when it is looking for environment variables since I am using the ManagedIdentityCredentialBuilder.

BTW, I got the same result using the DefaultAzureCredential which the following link explains will try to find a managed identity first then fallback on other methods which use environment variables: https://learn.microsoft.com/en-us/java/api/overview/azure/identity-readme?view=azure-java-stable

Thank you for any help.

plex4r
  • 243
  • 1
  • 2
  • 15

2 Answers2

0

The code looks correct. You may use DefaultAzureCredential somewhere, only EnvironmentCredential is related to environment variables.

Note: ManagedIdentityCredential doesn't work in the local environment, see here.

The ManagedIdentityCredential works only in Azure environments of services that support managed identity authentication. It doesn't work in the local environment.

unknown
  • 6,778
  • 1
  • 5
  • 14
  • Pamela, thank you for your comments. I am only running this on an Azure VM so like you said the code looks correct. I you have any ideas on any way I can debug this or get additional information please let me know. Is there a way to engage Azure support? – plex4r Mar 24 '21 at 12:11
  • Could you try to debug in the source code of ManagedIdentityCredential? If there is indeed a bug, you could feedback [here](https://feedback.azure.com/forums/169401-azure-active-directory). – unknown Mar 25 '21 at 01:47
  • Hi Pamela, how can I debug this? Where can I get the source code? Thanks for your suggestions! – plex4r Mar 26 '21 at 14:13
  • Refer to the Class: https://github.com/Azure/azure-sdk-for-java/blob/master/sdk/identity/azure-identity/src/main/java/com/azure/identity/ManagedIdentityCredential.java – unknown Mar 28 '21 at 07:36
0

This line appears to be just some logging in azure-identity even for MSI.

But above will not solve your problem. Maybe you can try latest azure-identity (I think it is 1.2.4), and put it at the first of your dependencies (to make sure the latest azure-core).

And any other output after this log?

weidongxu
  • 303
  • 1
  • 7
  • weidonxu, there is no other output after the one line from com.azure: "Azure Identity => Found the following environment variables:". I also did upgrade to 1.2.4 but I got the same result. Please let me know if you have any other suggestions. – plex4r Mar 26 '21 at 14:12
  • I actually tried it [here](https://github.com/weidongxu-microsoft/az-java-sdk-data/tree/9781d144e0380a766bb102750de5043f4706387f). No problem from my test. One strange thing is that it will first try a request without Bearer token and fail with 401, then another request returns 200. And I didn't see the "Azure Identity => Found the following environment variables:" log, instead I saw "Azure Identity => Managed Identity environment: AZURE VM IMDS ENDPOINT" then "Azure Identity => getToken() result for scopes [https://vault.azure.net/.default]: SUCCESS". – weidongxu Mar 27 '21 at 07:17