Proper Way to allow AKS Pod to access App Configuration via Worklaod Identities

Markus 21 Reputation points
2022-08-16T19:41:56.637+00:00

Hi, I'm looking for a way to grant Kubernetes Pods access to Azure App Config without providing any credentials.
For this, I stumbled over Workload Identities and followed the Quick Start Guide provided by Microsoft, which covers the access to Key Vault. Everything went fine, and I'm able to access the stored secrets without providing any credentials. But if I'm trying to do the same for App Configuration, I'm getting an HTTP 403-Error while using the Azure SDK for Java:

// Token  
final ConfigurationClient client = new ConfigurationClientBuilder()  
        .credential(new CustomTokenCredential())  
        .endpoint("*********")  
        .buildClient();  
  
System.out.println("Receiving existiting configuration");  
  
ConfigurationSetting setting = client.getConfigurationSetting("/application/config.message", null, null);  
System.out.printf(String.format("[GetConfigurationSetting] Key: %s, Value: %s\n", setting.getKey(),  
        setting.getValue()));  

while using CustomTokenCredential.java provided by Azure

The only difference I can spot between Key Vault and App Configuration is the "Access policies" blade, which does not exist for App Configuration. Nevertheless, I granted every account in my sandbox the contributor role via Access Control for the App Configuration without any difference.
Which steps do I need to take to grant my Pods access to App Configuration or maybe there is a tutorial covering my scenario?

Below you find the error message of the shown code:

Receiving existiting configuration  
[Thread-5] INFO com.azure.core.implementation.AccessTokenCache - Acquired a new access token.  
[main] ERROR com.azure.core.implementation.http.rest.RestProxyBase - Status code 403, (empty body)  
[main] ERROR com.azure.core.implementation.http.rest.RestProxyBase - Status code 403, (empty body)  
[main] ERROR com.azure.data.appconfiguration.implementation.ConfigurationClientImpl - Status code 403, (empty body)  
Exception in thread "main" com.azure.core.exception.HttpResponseException: Status code 403, (empty body)  
        at com.azure.core.implementation.http.rest.RestProxyBase.instantiateUnexpectedException(RestProxyBase.java:358)  
        at com.azure.core.implementation.http.rest.SyncRestProxy.ensureExpectedStatus(SyncRestProxy.java:116)  
        at com.azure.core.implementation.http.rest.SyncRestProxy.handleRestReturnType(SyncRestProxy.java:206)  
        at com.azure.core.implementation.http.rest.SyncRestProxy.invoke(SyncRestProxy.java:76)  
        at com.azure.core.implementation.http.rest.RestProxyBase.invoke(RestProxyBase.java:110)  
        at com.azure.core.http.rest.RestProxy.invoke(RestProxy.java:95)  
        at com.sun.proxy.$Proxy23.getKeyValue(Unknown Source)  
        at com.azure.data.appconfiguration.implementation.ConfigurationClientImpl.getConfigurationSettingWithResponse(ConfigurationClientImpl.java:496)  
        at com.azure.data.appconfiguration.ConfigurationClient.getConfigurationSetting(ConfigurationClient.java:358)  
        at com.example.msal.java.App.appConfigurationWithWorkloadIdentity(App.java:84)  
        at com.example.msal.java.App.main(App.java:18)  
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
1,849 questions
{count} votes