Azure - 在 Java Spring 引导中使用用户管理标识访问 Key Vault:错误详细信息:ManagedIdentityCredential 身份验证不可用?
Azure - Accessing Key Vault using User Managed Identity in Java Spring Boot : Error Details: ManagedIdentityCredential authentication unavailable?
我有一个 Java Spring 启动应用程序,它只从 Azure Key Vault 读取机密,下面是使用的步骤
- 创建了应用程序注册
- 复制了应用程序注册详细信息
- 生成的秘密
- 已授予对 Azure Key Vault 的访问权限
下面是我的 Java Spring 启动应用程序
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.6.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.contoso</groupId>
<artifactId>keyvault</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>keyvault</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>11</java.version>
<azure.version>2.3.5</azure.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>azure-keyvault-secrets-spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>azure-spring-boot-bom</artifactId>
<version>${azure.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
application.properties
azure.keyvault.client-id=7a111923-xxxxxxxx-xxxxxx-31be31d233dd
azure.keyvault.client-key=gt_~k02yF_xxxxxx_vn3r1.GW
azure.keyvault.enabled=true
azure.keyvault.tenant-id=9cef136a-xxxx-xxxx-b7d3-d9d8a5a84182
azure.keyvault.uri=https://contosokvxxx.vault.azure.net/
KeyvaultApplication.java
package com.example.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.beans.factory.annotation.Value;
@SpringBootApplication
@RestController
public class KeyvaultApplication {
public static void main(String[] args) {
SpringApplication.run(KeyvaultApplication.class, args);
}
@GetMapping("get")
public String get() {
return connectionString;
}
@Value("${connectionString}")
private String connectionString;
public void run(String... varl) throws Exception {
System.out.println(String.format("\nConnection String stored in Azure Key Vault:\n%s\n",connectionString));
}
}
有效,我可以从 Azure Key Vault 中读取 Secret
所以决定从 application.properties 中删除秘密并评论如下
#azure.keyvault.client-id=7a111923-1xxxxxxxx-31be31d233dd
#azure.keyvault.client-key=gt_~k02yF_xxxxxxxx-Hr6vn3r1.GW
azure.keyvault.enabled=true
#azure.keyvault.tenant-id=9cef136axxxxxxx-3-d9d8a5a84182
azure.keyvault.uri=https://contosokvxxx.vault.azure.net/
并使用 setx
添加了如下所示的环境变量
setx AzureServicesAuthConnectionString "RunAs=App;AppId=bb01c08b-xxxxxxxx-106;TenantId=9cef1-xxxxxxx-d9d8a5a84182;AppKey=xxxxxxxx-4Dpg-E3zrj~"
项目编译没有任何问题
>mvn clean compile package
但失败了运行
>mvn spring-boot:run
错误:
11:40:27.334 [main] ERROR org.springframework.boot.SpringApplication - Application run failed
java.lang.IllegalStateException: Failed to configure KeyVault property source
at com.microsoft.azure.keyvault.spring.KeyVaultEnvironmentPostProcessorHelper.addKeyVaultPropertySource(KeyVaultEnvironmentPostProcessorHelper.java:110)
at com.microsoft.azure.keyvault.spring.KeyVaultEnvironmentPostProcessor.postProcessEnvironment(KeyVaultEnvironmentPostProcessor.java:47)
Caused by: java.lang.RuntimeException: Max retries 3 times exceeded. Error Details: ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established, Network is unreachable: no further information.
at com.azure.core.http.policy.RetryPolicy.lambda$attemptAsync(RetryPolicy.java:116)
at reactor.core.publisher.FluxOnErrorResume$ResumeSubscriber.onError(FluxOnErrorResume.java:88)
请尝试遵循此 sample。
它向您展示了如何在 Java Spring 应用程序中将 Azure App Configuration 服务与 Azure Key Vault 一起使用。它还设置环境变量以连接密钥保管库。
这些 Key Vault 凭据仅在您的应用程序中使用。您的应用程序使用这些凭据直接通过 Key Vault 进行身份验证,而不涉及应用程序配置服务。 Key Vault 在不共享或公开密钥的情况下为您的应用程序和应用程序配置服务提供身份验证。
Error Details: ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established, Network is unreachable: no further information.
该错误表示您无法连接到 Azure 实例元数据服务端点,它是一个 REST 端点,可在众所周知的不可路由 IP 地址 (169.254.169.254) 上使用,MSI 使用它来获取令牌,它只能从 Azure 服务中访问,例如web app, VM, etc. 简而言之,你不能在本地使用 MSI(managed identity)。
要使用 MSI 从 Azure Keyvault 中获取机密,请遵循 this to deploy your application to azure web app, enable the system-assigned identity or user-assigned identity, then remove the azure.keyvault.client-key from application.properties, change the azure.keyvault.client-id with the MSI's client id, add it to the access policy of the keyvault, details follow this。
azure.keyvault.client-id=56rqs994-0o66-43o3-9roo-8e3534d0cb23
azure.keyvault.enabled=true
azure.keyvault.tenant-id=72s988os-86s1-41ns-91ab-2q7pq011qo47
azure.keyvault.uri=https://contosokv.vault.azure.net/
参考 - Tutorial: Reading a secret from Azure Key Vault in a Spring Boot application
我有一个 Java Spring 启动应用程序,它只从 Azure Key Vault 读取机密,下面是使用的步骤
- 创建了应用程序注册
- 复制了应用程序注册详细信息
- 生成的秘密
- 已授予对 Azure Key Vault 的访问权限
下面是我的 Java Spring 启动应用程序
pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
<modelVersion>4.0.0</modelVersion>
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.3.6.RELEASE</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>
<groupId>com.contoso</groupId>
<artifactId>keyvault</artifactId>
<version>0.0.1-SNAPSHOT</version>
<name>keyvault</name>
<description>Demo project for Spring Boot</description>
<properties>
<java.version>11</java.version>
<azure.version>2.3.5</azure.version>
</properties>
<dependencies>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-web</artifactId>
</dependency>
<dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>azure-keyvault-secrets-spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-test</artifactId>
<scope>test</scope>
<exclusions>
<exclusion>
<groupId>org.junit.vintage</groupId>
<artifactId>junit-vintage-engine</artifactId>
</exclusion>
</exclusions>
</dependency>
</dependencies>
<dependencyManagement>
<dependencies>
<dependency>
<groupId>com.microsoft.azure</groupId>
<artifactId>azure-spring-boot-bom</artifactId>
<version>${azure.version}</version>
<type>pom</type>
<scope>import</scope>
</dependency>
</dependencies>
</dependencyManagement>
<build>
<plugins>
<plugin>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-maven-plugin</artifactId>
</plugin>
</plugins>
</build>
</project>
application.properties
azure.keyvault.client-id=7a111923-xxxxxxxx-xxxxxx-31be31d233dd
azure.keyvault.client-key=gt_~k02yF_xxxxxx_vn3r1.GW
azure.keyvault.enabled=true
azure.keyvault.tenant-id=9cef136a-xxxx-xxxx-b7d3-d9d8a5a84182
azure.keyvault.uri=https://contosokvxxx.vault.azure.net/
KeyvaultApplication.java
package com.example.demo;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;
import org.springframework.beans.factory.annotation.Value;
@SpringBootApplication
@RestController
public class KeyvaultApplication {
public static void main(String[] args) {
SpringApplication.run(KeyvaultApplication.class, args);
}
@GetMapping("get")
public String get() {
return connectionString;
}
@Value("${connectionString}")
private String connectionString;
public void run(String... varl) throws Exception {
System.out.println(String.format("\nConnection String stored in Azure Key Vault:\n%s\n",connectionString));
}
}
有效,我可以从 Azure Key Vault 中读取 Secret
所以决定从 application.properties 中删除秘密并评论如下
#azure.keyvault.client-id=7a111923-1xxxxxxxx-31be31d233dd
#azure.keyvault.client-key=gt_~k02yF_xxxxxxxx-Hr6vn3r1.GW
azure.keyvault.enabled=true
#azure.keyvault.tenant-id=9cef136axxxxxxx-3-d9d8a5a84182
azure.keyvault.uri=https://contosokvxxx.vault.azure.net/
并使用 setx
添加了如下所示的环境变量setx AzureServicesAuthConnectionString "RunAs=App;AppId=bb01c08b-xxxxxxxx-106;TenantId=9cef1-xxxxxxx-d9d8a5a84182;AppKey=xxxxxxxx-4Dpg-E3zrj~"
项目编译没有任何问题
>mvn clean compile package
但失败了运行
>mvn spring-boot:run
错误:
11:40:27.334 [main] ERROR org.springframework.boot.SpringApplication - Application run failed
java.lang.IllegalStateException: Failed to configure KeyVault property source
at com.microsoft.azure.keyvault.spring.KeyVaultEnvironmentPostProcessorHelper.addKeyVaultPropertySource(KeyVaultEnvironmentPostProcessorHelper.java:110)
at com.microsoft.azure.keyvault.spring.KeyVaultEnvironmentPostProcessor.postProcessEnvironment(KeyVaultEnvironmentPostProcessor.java:47)
Caused by: java.lang.RuntimeException: Max retries 3 times exceeded. Error Details: ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established, Network is unreachable: no further information.
at com.azure.core.http.policy.RetryPolicy.lambda$attemptAsync(RetryPolicy.java:116)
at reactor.core.publisher.FluxOnErrorResume$ResumeSubscriber.onError(FluxOnErrorResume.java:88)
请尝试遵循此 sample。
它向您展示了如何在 Java Spring 应用程序中将 Azure App Configuration 服务与 Azure Key Vault 一起使用。它还设置环境变量以连接密钥保管库。
这些 Key Vault 凭据仅在您的应用程序中使用。您的应用程序使用这些凭据直接通过 Key Vault 进行身份验证,而不涉及应用程序配置服务。 Key Vault 在不共享或公开密钥的情况下为您的应用程序和应用程序配置服务提供身份验证。
Error Details: ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established, Network is unreachable: no further information.
该错误表示您无法连接到 Azure 实例元数据服务端点,它是一个 REST 端点,可在众所周知的不可路由 IP 地址 (169.254.169.254) 上使用,MSI 使用它来获取令牌,它只能从 Azure 服务中访问,例如web app, VM, etc. 简而言之,你不能在本地使用 MSI(managed identity)。
要使用 MSI 从 Azure Keyvault 中获取机密,请遵循 this to deploy your application to azure web app, enable the system-assigned identity or user-assigned identity, then remove the azure.keyvault.client-key from application.properties, change the azure.keyvault.client-id with the MSI's client id, add it to the access policy of the keyvault, details follow this。
azure.keyvault.client-id=56rqs994-0o66-43o3-9roo-8e3534d0cb23
azure.keyvault.enabled=true
azure.keyvault.tenant-id=72s988os-86s1-41ns-91ab-2q7pq011qo47
azure.keyvault.uri=https://contosokv.vault.azure.net/
参考 - Tutorial: Reading a secret from Azure Key Vault in a Spring Boot application