I am trying to achieve the following:
Able to use Azure user assigned managed identity(UAMI) to authenticate to vault(deployed on azure) from a spring boot application(deployed within AKS)
Stack : openjdk 8 , spring boot 2.5.4 , spring-cloud-starter-vault-config 3.0.3, AKS
I have hashicorp vault installed on azure. The below document suggest I can use UAMI in this case to authenticate to vault. referring to https://cloud.spring.io/spring-cloud-vault/reference/html/
Spring boot application config :
application.yml:
server:
port: 8090
spring:
application:
name: my application-service
cloud:
config:
import: vault://secret/somepath_to_secrets
vault:
uri: https://my-vault-uri
scheme: https
namespace: myapp
authentication: AZURE_MSI
azure-msi:
role: pod_identity_role_name
This works a bit ok on my local as the logs says it trying to hit the vault URI mentioned above and make connection and of course I can not test this on local end to end due to azure MSI . I am using user assigned Managed identity(UAMI).
But when i deploy this to Azure Kubernetes cluster , it gives me the following error and doesn't even try to connect to vault. Seems like it is expecting authentication as token:
Error creating bean with name 'clientAuthentication' defined in class path resource
caused by java.lang.IllegalArgumentException: Token(spring.cloud.vault.token) must not be empty
This is not making sense to me as local and AKS logs are totally different. I have root certs in my JKS on both local and AKS .
Could someone please help me on this. I have looked out various documents but all seems to be old.
