ERROR | Azure Key Vault access from Python application in Azure Kubernetes Service

Question

ERROR | Azure Key Vault access from Python application in Azure Kubernetes Service

Anonymous

I have a python application in AKS where I need to read the secrets from Azure key vault.

I am using:

credential = DefaultAzureCredential(logging_enable=True)
client = SecretClient(vault_url=KV_URI, credential=credential)
secret = client.get_secret(secretName)

I have the managed identity which has read access RBAC on the vault but I am getting Timeout errors.

along with these messages:

[ERROR] - Unable to connect to KV using DefaultAzureCredential, ERROR: (<urllib3.connection.HTTPSConnection object at 0x7f2dc85c2c90>, 'Connection to <vault_name>.vault.azure.net timed out. (connect timeout=300)')

[App: azure.identity._credentials.environment -- Module: environment --Line# 109] [INFO] - Incomplete environment configuration for EnvironmentCredential. These variables are set: AZURE_CLIENT_ID, AZURE_TENANT_ID

[App: azure.identity._credentials.managed_identity -- Module: managed_identity --Line# 80] [INFO] - ManagedIdentityCredential will use workload identity

[INFO] - credential Object: <azure.identity._credentials.default.DefaultAzureCredential object at 0x7f2e00442150>

[INFO] - Request URL: 'https://<vault_name>.vault.azure.net/secrets/snowflake-password/?api-version=REDACTED'

Request method: 'GET'

Request headers:

'Accept': 'application/json'

'x-ms-client-request-id': '517c4ebb-7f70-11ef-b4ad-d9ce3dacc7ab'

'User-Agent': 'azsdk-python-keyvault-secrets/4.8.0 Python/3.12.3 (Linux-5.15.0-1071-azure-x86_64-with-glibc2.39)'

No body was attached to the request

What should I check ?

Locked Question. You can vote on whether it's helpful, but you can't add comments or replies or follow the question.

Raja Pothuraju 47,420 Reputation points Microsoft External Staff Moderator

2024-10-07T23:15:30.53+00:00
Hello @AT,

Thank you for posting your query on Microsoft Q&A.

The error message indicates that the connection to the key vault timed out. Timeout errors when connecting to Azure Key Vault can be caused by various issues, such as network connectivity problems, misconfigurations, or even transient issues with the Azure Key Vault service itself. Here are some steps to help diagnose the issue:

Test the Key Vault Endpoint in your Browser: Try accessing your Key Vault's DNS endpoint (https://<<vaultname>>.vault.azure.net/). If communication is successful, you should receive a 403 error when calling the Key Vault's endpoint.

Test the TCP Connection to your Key Vault's Endpoint over Port 443: On the client machine, open a PowerShell prompt and run the following command:

Test-NetConnection -Port 443 <<vaultname>>.vault.azure.net

The command output should show no timeouts. If the connection fails, you will see TcpTestSucceeded as False.

Verify the Key Vault's Health Status: You can check the health status of your Key Vault by running the following command:

Invoke-WebRequest -UseBasicParsing -Uri https://yourvaultnamehere.vault.azure.net/healthstatus

Check for Proxy Settings on the Calling System: Use the following command to verify if there are any proxy settings configured that might be interfering with the connection:

netsh winhttp show proxy

For additional details, refer to this documentation: Access Azure Key Vault Behind a Firewall

Thanks,
Raja Pothuraju.
Raja Pothuraju 47,420 Reputation points Microsoft External Staff Moderator

2024-10-10T23:00:32.0133333+00:00

Hello @AT,

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.

1 answer

Raja Pothuraju 47,420 Reputation points Microsoft External Staff Moderator

2024-10-07T23:15:30.53+00:00

Hello @AT,

Thank you for posting your query on Microsoft Q&A.

The error message indicates that the connection to the key vault timed out. Timeout errors when connecting to Azure Key Vault can be caused by various issues, such as network connectivity problems, misconfigurations, or even transient issues with the Azure Key Vault service itself. Here are some steps to help diagnose the issue:

Test the Key Vault Endpoint in your Browser: Try accessing your Key Vault's DNS endpoint (https://<<vaultname>>.vault.azure.net/). If communication is successful, you should receive a 403 error when calling the Key Vault's endpoint.

Test the TCP Connection to your Key Vault's Endpoint over Port 443: On the client machine, open a PowerShell prompt and run the following command:

Test-NetConnection -Port 443 <<vaultname>>.vault.azure.net

The command output should show no timeouts. If the connection fails, you will see TcpTestSucceeded as False.

Verify the Key Vault's Health Status: You can check the health status of your Key Vault by running the following command:

Invoke-WebRequest -UseBasicParsing -Uri https://yourvaultnamehere.vault.azure.net/healthstatus

Check for Proxy Settings on the Calling System: Use the following command to verify if there are any proxy settings configured that might be interfering with the connection:

netsh winhttp show proxy

For additional details, refer to this documentation: Access Azure Key Vault Behind a Firewall

Thanks,
Raja Pothuraju.
Raja Pothuraju 47,420 Reputation points Microsoft External Staff Moderator

2024-10-10T23:00:32.0133333+00:00

Hello @AT,

Following up to see if the below suggestion was helpful. And, if you have any further query do let us know.

Answer 1

Hello Anonymous,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are having error on Azure Key Vault access from Python application in Azure Kubernetes Service.

Your python code is correct. The Python application already detects a valid identity provider through the DefaultAzureCredential chain, which confirms that managed identity or workload identity initialization is functioning properly.

To resolve the issue, retrieve the outbound public IP addresses assigned to the Azure Kubernetes Service cluster and add them to the vault’s network access rules. This can be obtained using the Azure CLI:

az aks show \
  --resource-group <resource-group> \
  --name <cluster-name> \
  --query networkProfile.loadBalancerProfile.effectiveOutboundIPs

After identifying the outbound IPs, navigate to the Key Vault Networking settings in the Azure portal and add those addresses to the firewall allow list, or alternatively enable the Allow trusted Microsoft services option if appropriate for the environment. Once the AKS outbound traffic is permitted, the Python SDK will successfully connect and retrieve secrets using the existing implementation:

from azure.identity import DefaultAzureCredential
from azure.keyvault.secrets import SecretClient

credential = DefaultAzureCredential()
client = SecretClient(
    vault_url="https://<vault-name>.vault.azure.net/",
    credential=credential
)

secret = client.get_secret("snowflake-password")
print(secret.value)

Implementation guidance for this configuration is documented in the official Azure networking and Key Vault documentation: https://learn.microsoft.com/en-us/azure/key-vault/general/network-security and https://learn.microsoft.com/en-us/azure/key-vault/secrets/quick-create-python. Once network access is properly configured, the application can authenticate through managed identity and retrieve secrets without experiencing connection timeouts.

I hope this is helpful! Do not hesitate to let me know if you have any other questions or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

Share via

ERROR | Azure Key Vault access from Python application in Azure Kubernetes Service

1 answer