How to connect to Azure keyvault from SpringBoot application for local development using MSI

1
votes

I am trying to connect to Azure KeyVault from my locally running Spring Boot Application. I can't keep those secrets to be saved in keyvault in different properties or yaml during dev, because my application will generate and delete so many secrets and tokens to be saved in keyvault in the run time.

I am aware of the process in which we can create an Azure service principal from your application registration. And use

azure.keyvault.client-id azure.keyvault.client-key

in application.properties to connect.

But it may not be allowed to be created Azure service principal in our case. So is there any way to connect to key vault using MSI from locally running SpringBoot application.

using MSI_ENDPOINT and MSI_SECRET

2
javaazurespring-bootazure-functionsazure-keyvault
If anybody has tried to connect using REST , sharing a code snippet will be really appreciable.Arnav Karforma

2 Answers

2
votes

So is there any way to connect to key vault using MSI from locally running SpringBoot application. using MSI_ENDPOINT and MSI_SECRET

I don't think you can use MSI_ENDPOINT and MSI_SECRET get the token in local, it just works when the web app published in the cloud.

But it may not be allowed to be created Azure service principal in our case.

As you know, you can use the service principal client id and secret(key) to access the keyvault. Actually, when enabling the MSI of the web app, it will create a service principal in your Azure AD tenant automatically. So you can just use the client id and secret of it.

Navigate to the portal -> Azure Active Directory -> Enterprise applications -> search for your web app name(select the Application Type with All Applications), then you get the client id(application id).

Note: Remember to check the object id of the service principal with that in your web app -> Identity, make sure you use the correct one.

enter image description here

For the service principal secret, you could create it via powershell like below(your account need the admin role Application administrator or Global administrator in your AAD tenant).

New-AzureADServicePrincipalPasswordCredential -ObjectId <service principal object id>

enter image description here

Then you will be able to access the keyvault with the client id and secret. For details in java, you can refer to this link.

0
votes

You can't get it using those variables because locally there is no Azure AD Identity Registered on your local machine and as such Microsoft didn't build any MSI emulator so no variables will be set.

I can recommend what Microsoft did in their .NET library

  1. Run Azure CLI and log in

  2. In code check for variables and if they don't exist then run CLI command 

    az account get-access-token --resource 'https://vault.azure.net'

In CLI simply log into either principal or your account. Make sure to add this account/your account to KeyVault policy.

I know it's weird but I you can even check it HERE on their GitHub.

I might have an article that will help you in case you want more details

https://marczak.io/posts/2019/07/securing-websites-with-msi/