Accessing Azure Key Vault for local development

1
votes

I am trying to access Azure Key Vault local by using Service Principle credentials from local for development perspective.

But it seems that Azure SDK is always checking IMDS connectivity ("169.254.169.254")

Code I used to retrieve secret:

SecretClient secretClient = new SecretClientBuilder()
.vaultUrl(keyVaultUri)
.credential(new DefaultAzureCredentialBuilder().build())
.buildClient();

I also added below variables as env variables:

  1. AZURE_CLIENT_ID
  2. AZURE_CLIENT_SECRET
  3. AZURE_TENANT_ID

Can somebody help me with how can we access azure resources like key vault from our local using Service Principle in java

2
javaazurejava-8azure-keyvaultazure-managed-identity

2 Answers

2
votes

To use service principal to auth locally, just use ClientSecretCredential.

Sample:

import com.azure.identity.ClientSecretCredential;
import com.azure.identity.ClientSecretCredentialBuilder;
import com.azure.security.keyvault.secrets.SecretClient;
import com.azure.security.keyvault.secrets.SecretClientBuilder;
import com.azure.security.keyvault.secrets.models.KeyVaultSecret;

public  class vacate {
    public static void main(String[] args) {
        String clientId="xxxxxx";
        String clientSecret="xxxxxx";
        String tenantId="xxxxxx";

        ClientSecretCredential credential1 = new ClientSecretCredentialBuilder()
                .tenantId(tenantId)
                .clientId(clientId)
                .clientSecret(clientSecret)
                .build();

        SecretClient secretClient = new SecretClientBuilder()
            .vaultUrl("<your-key-vault-url>")
            .credential(credential1)
            .buildClient();
            
        //do other things
    }
}

Actually, I think DefaultAzureCredential you used should also work, it tries to create a valid credential in the following order, if you have already set the environment variable correctly, it should work, if not, just use the ClientSecretCredential like above, it will work.

0
votes

The way it fixed my problem (and may be will help others as well):

  1. Indeed as mentioned in Joy's answer, you need to use ClientSecretCredential or you can also use Azure Toolkit for IntelliJ for authentication

  2. I was using old azure identity which was going to old authentication end point login.microsoftonline.com/{{tenant_id}} which got fixed after upgrading to latest version (1.2.3). Now it goes to new end point of login.microsoftonline.com/common/oauth2

  3. For me, I was also getting a lot of SSL errors. To fix it adding below certificates to trusted certificates worked :

    • DigiCert Global Root CA
    • DigiCert SHA2 Secure Server CA

  4. If your network is behind a proxy, you also need to configure proxy and added corresponding CA Root certificate to your keystore and truststore.