Azure Key Vault + OAuth authentication issues #723
Comments
|
Thanks for the sample it's super helpful. The problem here is that env.KeyVaultEndpoint is not the same as the resource ID (see #697 for more details). I added a new function, autorest.NewBearerAuthorizerCallback, so that you can retrieve the tenant and resource IDs from the server to ensure the correct values are used. We don't have a sample for this right now, let me see if I can update your sample using this new functionality. |
|
Awesome - thanks @jhendrixMSFT :) |
|
Here's the updated function. func (c Client) createSecretInKeyVault(config ClientConfiguration, resourceGroup *resources.Group, keyVault *keyvault.Vault, name, value string) (*KeyVault.SecretBundle, error) {
client := KeyVault.New()
//client.Authorizer = autorest.NewBearerAuthorizer(HardCodedToken{})
client.Sender = autorest.CreateSender(withRequestLogging())
client.Authorizer = autorest.NewBearerAuthorizerCallback(client.Sender, func(tenantID, resource string) (*autorest.BearerAuthorizer, error) {
env, err := getAzureEnvironment(config.Environment)
if err != nil {
return nil, err
}
keyVaultOauthConfig, err := getAzureOAuthConfig(env.ActiveDirectoryEndpoint, tenantID)
if err != nil {
return nil, err
}
keyVaultSpt, err := adal.NewServicePrincipalToken(*keyVaultOauthConfig, config.ClientId, config.ClientSecret, resource)
if err != nil {
return nil, err
}
return autorest.NewBearerAuthorizer(keyVaultSpt), nil
})
parameters := KeyVault.SecretSetParameters{
Value: &value,
}
_, err := client.SetSecret(*keyVault.Properties.VaultURI, name, parameters)
if err != nil {
return nil, err
}
// the API Documentation says setting the SecretVersion field to an empty string should return the latest version, but also fails if specified
secret, err := client.GetSecret(*keyVault.Properties.VaultURI, name, "")
if err != nil {
return nil, err
}
return &secret, nil
}Be sure that your service principal has permissions to set secrets, see https://stackoverflow.com/questions/40025598/azure-key-vault-access-denied/45147912#45147912 for more info. |
|
Closing as this should be resolved but do let me know if you have any questions. |
|
@jhendrixMSFT sorry, thought I'd replied to this! Thanks a lot for confirming that and updating the sample - I can confirm that worked great - I've shipped support for this in hashicorp/terraform-provider-azurerm#269 :) Thanks! |
👋 hey folks!
I've been trying to implement support for managing both Secrets and Certificate Operations within Azure Key Vault.
From what I can see, the documentation states that an OAUTH token from Azure AD should grant access to manage a Key Vault, providing the context is for
vault.azure.net.However - when attempting to hook this up via the Go SDK I see the following error:
As such I attempted to set the login URL to "https://login.windows.net" (from the
WWW-Authenticateheader) - but this yielded the same response. Given the Documentation hasn't been particularly helpful, I've been struggling to find a code sample for this either to work back from :( (related: I don't think I've seen a reference to the Go SDK on the Key Vault Documentation at all)When providing the OAuth Token from the Azure Portal this code works as expected (and thus, this issue appears to be limited to the authentication). I've spent a while digging into Permissions in the portal; and the Service Principal has permissions to Azure Key Vault, and is allowed in the Access Policies in the Azure Key Vault - so I'm a bit stumped.
Would it be possible to provide some guidance how to authenticate against Azure Key Vault using a Service Principal? I'm not sure if it's helpful, but I've pushed the sample app I've been using to debug this here
Thanks!
The text was updated successfully, but these errors were encountered: