使用托管身份从JAVA Azure应用服务访问Azure Key Vault

时间:2020-02-18 10:30:14

标签: azure azure-active-directory azure-web-app-service azure-keyvault azure-managed-identity

我在Azure App Service中部署了一个春季启动应用程序,该应用程序使用用户管理的身份访问Azure Key Vault。

我已经按照下面提到的步骤进行操作:

  1. 创建用户管理的身份
  2. 在Azure App服务中部署了Spring Boot应用程序
  3. 通过“身份”选项将新创建的“用户管理的身份”添加到App服务
  4. 在App Service中IAM的角色分配下将用户管理的身份添加为所有者角色
  5. 创建Azure Key Vault并为其添加秘密
  6. 在新创建的具有“秘密权限”部分中的“获取,列出,设置”权限的密钥库的“访问策略”下添加了用户管理的身份
  7. 在Key Vault中的IAM角色分配下将用户管理的身份添加为所有者角色

我从应用程序访问Key Vault的Java代码如下:

MSICredentials msiCredentials = new MSICredentials(AzureEnvironment.AZURE);
msiCredentials = msiCredentials.withClientId("client_id");
KeyVaultClient keyVaultClient = new KeyVaultClient(msiCredentials);
SecretBundle secretBundle = keyVaultClient.getSecret("key_vault_base_url","secret_name");

在Azure App服务部署中执行此代码时,出现以下错误:

java.net.ConnectException:具有根本原因的连接被拒绝(连接被拒绝)] 2020-02-18T10:21:14.800677788Z 2020-02-18T10:21:14.800684689Z java.net.ConnectException:连接被拒绝(连接被拒绝) 2020-02-18T10:21:14.800689989Z at java.net.PlainSocketImpl.socketConnect(本机方法)〜[na:1.8.0_232] 2020-02-18T10:21:14.800695689Z at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)〜[na:1.8.0_232] 2020-02-18T10:21:14.800700989Z at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)〜[na:1.8.0_232] 2020-02-18T10:21:14.800706089Z at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)〜[na:1.8.0_232] 2020-02-18T10:21:14.800711089Z at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)〜[na:1.8.0_232] 2020-02-18T10:21:14.800716189Z at java.net.Socket.connect(Socket.java:607)〜[na:1.8.0_232] 2020-02-18T10:21:14.800720890Z at java.net.Socket.connect(Socket.java:556)〜[na:1.8.0_232] 2020-02-18T10:21:14.800725790Z在sun.net.NetworkClient.doConnect(NetworkClient.java:180)〜[na:1.8.0_232] 2020-02-18T10:21:14.800730590Z在sun.net.www.http.HttpClient.openServer(HttpClient.java:463)〜[na:1.8.0_232] 2020-02-18T10:21:14.800735490Z在sun.net.www.http.HttpClient.openServer(HttpClient.java:558)〜[na:1.8.0_232] 2020-02-18T10:21:14.800740290Z在sun.net.www.http.HttpClient。(HttpClient.java:242)〜[na:1.8.0_232] 2020-02-18T10:21:14.800745390Z在sun.net.www.http.HttpClient.New(HttpClient.java:339)〜[na:1.8.0_232] 2020-02-18T10:21:14.800750191Z在sun.net.www.http.HttpClient.New(HttpClient.java:357)〜[na:1.8.0_232] 2020-02-18T10:21:14.800755291Z在sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1226)〜[na:1.8.0_232] 2020-02-18T10:21:14.800760191Z在sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1162)〜[na:1.8.0_232] 2020-02-18T10:21:14.800765091Z在sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1056)〜[na:1.8.0_232] 2020-02-18T10:21:14.800769991Z at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:990)〜[na:1.8.0_232] 2020-02-18T10:21:14.800784292Z在sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570)〜[na:1.8.0_232] 2020-02-18T10:21:14.800790492Z位于sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498)〜[na:1.8.0_232] 2020-02-18T10:21:14.800795392Z at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480)〜[na:1.8.0_232] 2020-02-18T10:21:14.800800192Z at com.microsoft.azure.credentials.MSICredentials.retrieveTokenFromIDMSWithRetry(MSICredentials.java:269)〜[azure-client-authentication-1.6.12.jar!/:na] 2020-02-18T10:21:14.800804992Z at com.microsoft.azure.credentials.MSICredentials.getTokenFromIMDSEndpoint(MSICredentials.java:205)〜[azure-client-authentication-1.6.12.jar!/:na] 2020-02-18T10:21:14.800809692Z(位于com.microsoft.azure.credentials.MSICredentials.getToken(MSICredentials.java:146)〜[azure-client-authentication-1.6.12.jar!/:na] 2020-02-18T10:21:14.800814392Z(位于com.microsoft.azure.credentials.AzureTokenCredentials.getToken(AzureTokenCredentials.java:74)〜[azure-client-runtime-1.6.12.jar!/:na] 2020-02-18T10:21:14.800819093Z(位于com.microsoft.azure.credentials.AzureTokenCredentialsInterceptor.intercept(AzureTokenCredentialsInterceptor.java:36)〜[azure-client-runtime-1.6.12.jar!/:na]

查看Azure SDK中的MSICredentials.java代码,我发现对以下URL-http://169.254.169.254/metadata/identity/oauth2/的请求被拒绝了。

有人可以指导我进行设置以摆脱此问题吗?我是否缺少任何配置?任何指针都将真正有用。

1 个答案:

答案 0 :(得分:1)

已设法使用系统托管身份而不是用户托管身份解决问题,因为用户托管身份目前似乎无法与Azure KeyVault一起使用。

已在GitHub中创建了一个存储库,其中包含用于使用系统托管身份从AppService连接到Azure资源的示例代码。回购链接如下-Azure_AppService_ManagedIdentity