How to access Azure vault from AKS using Managed Identity

R, Santhosh 0 Reputation points
2024-04-11T16:01:52.48+00:00

How to access Azure vault from AKS using Managed Identity.

Im using java to get my Azure KeyVault secrets with key configured in Azure Vault. Below is my code snippet

public String getSecrets(String secretKey)

{

    ManagedIdentityCredential managedIdentityCredential = new ManagedIdentityCredentialBuilder()

            .clientId("XXXXX-XXX-XXXX-XXXX-XXXXX")

            .build();

    SecretClient secretClient = new SecretClientBuilder()

            .vaultUrl("https://xxxx-xxxx-xxx-keyvault.vault.azure.net/")

            .credential(managedIdentityCredential)

            .buildClient();

    KeyVaultSecret storedSecret = secretClient.getSecret(secretKey);

    return storedSecret.getValue();

 }

XXXXX-XXX-XXXX-XXXX-XXXXX :- Is my User managed Identity client id associated with AKS and Azure Vault.

When i deploy my application in my AKS im getting below exception.

2024-04-11 12:46:39.584 ERROR 1 --- [ main] c.a.i.implementation.IdentityClient : ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established.

2024-04-11 12:46:39.584 ERROR 1 --- [main] c.a.i.implementation.IdentityClient : ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established.

2024-04-11 12:46:39.589 ERROR 1 --- [ main] c.a.identity.ManagedIdentityCredential : Azure Identity => ERROR in getToken() call for scopes [https://vault.azure.net/.default]: ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established.

2024-04-11 12:46:39.589 ERROR 1 --- [main] c.a.identity.ManagedIdentityCredential : Azure Identity => ERROR in getToken() call for scopes [https://vault.azure.net/.default]: ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established.

2024-04-11 12:46:39.610 ERROR 1 --- [ main] c.a.c.implementation.AccessTokenCache : {"az.sdk.message":"Failed to acquire a new access token.","exception":"ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established."}

2024-04-11 12:46:39.610 ERROR 1 --- [main] c.a.c.implementation.AccessTokenCache : {"az.sdk.message":"Failed to acquire a new access token.","exception":"ManagedIdentityCredential authentication unavailable. Connection to IMDS endpoint cannot be established."}

Could you please help in resolving and necessary steps to be taken.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,119 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Mathur 27,691 Reputation points Microsoft Employee
    2024-04-16T11:12:17.0466667+00:00

    Hi @R, Santhosh ,

    Thanks for reaching out.

    The error message indicates that you could not connect to the Azure Instance Metadata Service endpoint, it is a REST Endpoint that is available at a well-known non-routable IP address (169.254.169.254), MSI use it to get the token, it can be accessed only from within the Azure service e.g. web app, VM, etc. Simply put, you could not use MSI (managed identity) in local.

    If you'd like to access the Key Vault via a Managed Identity, you can deploy a VM with a system-assigned managed identity or an Azure App Service to read a secret from Azure Key Vault. For more info.

    Hope this will help.

    Thanks,

    Shweta

    0 comments