使用托管标识从 JAVA Azure App Service 访问 Azure Key Vault

Accessing Azure Key Vault from JAVA Azure App Service using managed identities

我在 Azure App Service 中部署了一个 spring 引导应用程序,它使用用户管理的身份访问 Azure Key Vault。

我已按照以下步骤操作:

  1. 创建了用户管理的身份
  2. 在 Azure 应用服务中部署 spring 启动应用程序
  3. 通过身份选项将新创建的用户管理身份添加到应用程序服务
  4. 在应用服务的 IAM 角色分配下添加了用户管理身份作为所有者角色
  5. 创建 Azure Key Vault 并向其添加机密
  6. 在新创建的 Key Vault 的访问策略下添加了用户管理的标识,在秘密权限部分具有获取、列出、设置权限
  7. 在 Key Vault 的 IAM 角色分配下添加了用户管理身份作为所有者角色

我的 Java 从应用程序访问 Key Vault 的代码如下:

MSICredentials msiCredentials = new MSICredentials(AzureEnvironment.AZURE);
msiCredentials = msiCredentials.withClientId("client_id");
KeyVaultClient keyVaultClient = new KeyVaultClient(msiCredentials);
SecretBundle secretBundle = keyVaultClient.getSecret("key_vault_base_url","secret_name");

在 Azure 应用服务部署中执行此代码时,出现以下错误:

java.net.ConnectException: Connection refused (Connection refused)] with root cause 2020-02-18T10:21:14.800677788Z 2020-02-18T10:21:14.800684689Z java.net.ConnectException: Connection refused (Connection refused) 2020-02-18T10:21:14.800689989Z at java.net.PlainSocketImpl.socketConnect(Native Method) ~[na:1.8.0_232] 2020-02-18T10:21:14.800695689Z at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350) ~[na:1.8.0_232] 2020-02-18T10:21:14.800700989Z at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206) ~[na:1.8.0_232] 2020-02-18T10:21:14.800706089Z at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188) ~[na:1.8.0_232] 2020-02-18T10:21:14.800711089Z at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392) ~[na:1.8.0_232] 2020-02-18T10:21:14.800716189Z at java.net.Socket.connect(Socket.java:607) ~[na:1.8.0_232] 2020-02-18T10:21:14.800720890Z at java.net.Socket.connect(Socket.java:556) ~[na:1.8.0_232] 2020-02-18T10:21:14.800725790Z at sun.net.NetworkClient.doConnect(NetworkClient.java:180) ~[na:1.8.0_232] 2020-02-18T10:21:14.800730590Z at sun.net.www.http.HttpClient.openServer(HttpClient.java:463) ~[na:1.8.0_232] 2020-02-18T10:21:14.800735490Z at sun.net.www.http.HttpClient.openServer(HttpClient.java:558) ~[na:1.8.0_232] 2020-02-18T10:21:14.800740290Z at sun.net.www.http.HttpClient.(HttpClient.java:242) ~[na:1.8.0_232] 2020-02-18T10:21:14.800745390Z at sun.net.www.http.HttpClient.New(HttpClient.java:339) ~[na:1.8.0_232] 2020-02-18T10:21:14.800750191Z at sun.net.www.http.HttpClient.New(HttpClient.java:357) ~[na:1.8.0_232] 2020-02-18T10:21:14.800755291Z at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:1226) ~[na:1.8.0_232] 2020-02-18T10:21:14.800760191Z at sun.net.www.protocol.http.HttpURLConnection.plainConnect0(HttpURLConnection.java:1162) ~[na:1.8.0_232] 2020-02-18T10:21:14.800765091Z at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:1056) ~[na:1.8.0_232] 2020-02-18T10:21:14.800769991Z at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:990) ~[na:1.8.0_232] 2020-02-18T10:21:14.800784292Z at sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1570) ~[na:1.8.0_232] 2020-02-18T10:21:14.800790492Z at sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1498) ~[na:1.8.0_232] 2020-02-18T10:21:14.800795392Z at java.net.HttpURLConnection.getResponseCode(HttpURLConnection.java:480) ~[na:1.8.0_232] 2020-02-18T10:21:14.800800192Z at com.microsoft.azure.credentials.MSICredentials.retrieveTokenFromIDMSWithRetry(MSICredentials.java:269) ~[azure-client-authentication-1.6.12.jar!/:na] 2020-02-18T10:21:14.800804992Z at com.microsoft.azure.credentials.MSICredentials.getTokenFromIMDSEndpoint(MSICredentials.java:205) ~[azure-client-authentication-1.6.12.jar!/:na] 2020-02-18T10:21:14.800809692Z at com.microsoft.azure.credentials.MSICredentials.getToken(MSICredentials.java:146) ~[azure-client-authentication-1.6.12.jar!/:na] 2020-02-18T10:21:14.800814392Z at com.microsoft.azure.credentials.AzureTokenCredentials.getToken(AzureTokenCredentials.java:74) ~[azure-client-runtime-1.6.12.jar!/:na] 2020-02-18T10:21:14.800819093Z at com.microsoft.azure.credentials.AzureTokenCredentialsInterceptor.intercept(AzureTokenCredentialsInterceptor.java:36) ~[azure-client-runtime-1.6.12.jar!/:na]

查看 Azure SDK 中 MSICredentials.java 的代码,我可以看到对以下 URL - http://169.254.169.254/metadata/identity/oauth2/ 的请求被拒绝了。

有人可以指导我进行设置以解决此问题吗?我缺少任何配置吗?任何指点都会很有帮助。

设法使用系统托管标识而不是用户托管标识解决了该问题,因为用户托管标识目前似乎无法与 Azure KeyVault 一起使用。

已在 GitHub 中创建了一个存储库,其中包含使用系统托管标识从 AppService 连接到 Azure 资源的示例代码。回购 link 如下 - Azure_AppService_ManagedIdentity