This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 87%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hi, I'm looking for a way to grant Kubernetes Pods access to Azure App Config without providing any credentials.
For this, I stumbled over Workload Identities and followed the Quick Start Guide provided by Microsoft, which covers the access to Key Vault. Everything went fine, and I'm able to access the stored secrets without providing any credentials. But if I'm trying to do the same for App Configuration, I'm getting an HTTP 403-Error while using the Azure SDK for Java:
// Token
final ConfigurationClient client = new ConfigurationClientBuilder()
.credential(new CustomTokenCredential())
.endpoint("*********")
.buildClient();
System.out.println("Receiving existiting configuration");
ConfigurationSetting setting = client.getConfigurationSetting("/application/config.message", null, null);
System.out.printf(String.format("[GetConfigurationSetting] Key: %s, Value: %s\n", setting.getKey(),
setting.getValue()));
while using CustomTokenCredential.java provided by Azure
The only difference I can spot between Key Vault and App Configuration is the "Access policies" blade, which does not exist for App Configuration. Nevertheless, I granted every account in my sandbox the contributor role via Access Control for the App Configuration without any difference.
Which steps do I need to take to grant my Pods access to App Configuration or maybe there is a tutorial covering my scenario?
Below you find the error message of the shown code:
Receiving existiting configuration
[Thread-5] INFO com.azure.core.implementation.AccessTokenCache - Acquired a new access token.
[main] ERROR com.azure.core.implementation.http.rest.RestProxyBase - Status code 403, (empty body)
[main] ERROR com.azure.core.implementation.http.rest.RestProxyBase - Status code 403, (empty body)
[main] ERROR com.azure.data.appconfiguration.implementation.ConfigurationClientImpl - Status code 403, (empty body)
Exception in thread "main" com.azure.core.exception.HttpResponseException: Status code 403, (empty body)
at com.azure.core.implementation.http.rest.RestProxyBase.instantiateUnexpectedException(RestProxyBase.java:358)
at com.azure.core.implementation.http.rest.SyncRestProxy.ensureExpectedStatus(SyncRestProxy.java:116)
at com.azure.core.implementation.http.rest.SyncRestProxy.handleRestReturnType(SyncRestProxy.java:206)
at com.azure.core.implementation.http.rest.SyncRestProxy.invoke(SyncRestProxy.java:76)
at com.azure.core.implementation.http.rest.RestProxyBase.invoke(RestProxyBase.java:110)
at com.azure.core.http.rest.RestProxy.invoke(RestProxy.java:95)
at com.sun.proxy.$Proxy23.getKeyValue(Unknown Source)
at com.azure.data.appconfiguration.implementation.ConfigurationClientImpl.getConfigurationSettingWithResponse(ConfigurationClientImpl.java:496)
at com.azure.data.appconfiguration.ConfigurationClient.getConfigurationSetting(ConfigurationClient.java:358)
at com.example.msal.java.App.appConfigurationWithWorkloadIdentity(App.java:84)
at com.example.msal.java.App.main(App.java:18)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(208, 35%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
Hello @Markus ,
Thanks for reaching out. Let me check on this internally and get back to you. Thanks.
Hi @Markus ,
I do not have expertise on Java. I would recommend you to please open a support ticket with Azure to work on this. Let me know if you do not have the ability to open a support case, then I can help you with a one-time free support. Thanks.