azure sdk java + Azure Kubernetes Cluster + Spring Boot application + System Assigned Managed Identity

Question

Working Scenario: Spring Boot Application + Azure VM + Azure SDK Java + System Assigned Managed Identity + Azure Key Vault Description: Spring boot application is able to retrieve secrets from KeyVault through System Assigned Managed Identity, application is running on Azure VM

[2021-11-16T06:47:44.044Z] [java.util.logging.LoggingProxyImpl] [reactor-http-nio-2] [61] [DEBUG] [] [] sun.net.www.MessageHeader@67d5e1816 pairs: {GET /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net HTTP/1.1: null}{Metadata: true}{User-Agent: Java/1.8.0_251}{Host: *.*.*.*}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
[2021-11-16T06:47:44.044Z] [java.util.logging.LoggingProxyImpl] [reactor-http-nio-2] [61] [DEBUG] [] [] sun.net.www.MessageHeader@5b2f224a5 pairs: {null: HTTP/1.1 200 OK}{Content-Type: application/json; charset=utf-8}{Server: IMDS/*.*.*.*}{Date: Tue, 16 Nov 2021 06:47:44 GMT}{Content-Length: 1683}
[2021-11-16T06:47:45.045Z] [com.azure.core.util.logging.ClientLogger] [reactor-http-nio-2] [111] [INFO ] [] [] Azure Identity => Managed Identity environment: AZURE VM IMDS ENDPOINT

Working Scenario: Spring Boot Application + Azure AKS + Azure SDK Java + User Assigned Managed Identity + Azure Key Vault Description: Spring boot application is able to retrieve secrets from KeyVault through User Assigned Managed Identity, application is running on Azure Kubernetes Service

[2021-11-16T08:16:32.032Z] [java.util.logging.LoggingProxyImpl] [reactor-http-epoll-3] [61] [DEBUG] [] [] sun.net.www.MessageHeader@37263346 pairs: {GET /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net&client_id=********************** HTTP/1.1: null}{Metadata: true}{User-Agent: Java/1.8.0_111}{Host: *.*.*.*}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
[2021-11-16T08:16:32.032Z] [java.util.logging.LoggingProxyImpl] [reactor-http-epoll-3] [61] [DEBUG] [] [] sun.net.www.MessageHeader@377d9d9f5 pairs: {null: HTTP/1.1 200 OK}{Content-Type: application/json; charset=utf-8}{Server: IMDS/*.*.*.*}{Date: Tue, 16 Nov 2021 08:16:32 GMT}{Content-Length: 1805}
[2021-11-16T08:16:32.032Z] [com.azure.core.util.logging.ClientLogger] [reactor-http-epoll-3] [111] [INFO ] [] [] Azure Identity => Managed Identity environment: AZURE VM IMDS ENDPOINT

Issue Scenario: Spring Boot Application + Azure AKS+ Azure SDK Java + System Assigned Managed Identity + Azure Key Vault Description: Spring boot application is not able to retrieve secrets from KeyVault through System Assigned Managed Identity, application is running on Azure Kubernetes service Logs:

[2021-11-16T07:49:39.039Z] [java.util.logging.LoggingProxyImpl] [reactor-http-epoll-2] [61] [DEBUG] [] [] sun.net.www.MessageHeader@3d038e526 pairs: {GET /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net HTTP/1.1: null}{Metadata: true}{User-Agent: Java/1.8.0_111}{Host: *.*.*.*}{Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2}{Connection: keep-alive}
[2021-11-16T07:49:39.039Z] [java.util.logging.LoggingProxyImpl] [reactor-http-epoll-2] [61] [DEBUG] [] [] sun.net.www.MessageHeader@4c08a14b5 pairs: {null: HTTP/1.1 400 Bad Request}{Content-Type: application/json; charset=utf-8}{Server: IMDS/*.*.*.*}{Date: Tue, 16 Nov 2021 07:49:39 GMT}{Content-Length: 168}
[2021-11-16T07:49:39.039Z] [com.azure.core.util.logging.ClientLogger] [reactor-http-epoll-2] [350] [ERROR] [] [] ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established.

I referred below link and confirmed AKS is enabled with Managed Identity https://learn.microsoft.com/en-us/azure/aks/use-managed-identity#obtain-and-use-the-system-assigned-managed-identity-for-your-aks-cluster

And we are using Harbor to pull the docker images.

How to resolve the issue? How to check my node is enabled with Managed Identity?

Code snippet

SecretClient client = new SecretClientBuilder().vaultUrl(vaultUrl)
                .credential(new ManagedIdentityCredentialBuilder().build())
                .buildClient();
KeyVaultSecret secretKey = client.getSecret(secretName);

Answer 1

I am placing my answer in any case it may useful to others.

Based on answers provided for Azure - Using a Managed Identity to authenticate AKS to KeyVault and other resources, I enabled System Managed Identity on VMSS, provided necessary RBAC role (Selected Assign access to as Managed Identity) and access policies to that VMSS. Now System Managed identity is working for my application running one of the pods.