Search code examples
linuxazureazure-keyvaultazure-virtual-machineazure-managed-identity

Use a Linux VM system-assigned managed identity to access Azure Key Vault

I'm trying to reproduce the same result as described in the Microsoft Document https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-nonaad

I have a VM with system assigned managed identity and a key vault where I have granted the permission of "Key Vault Secrets User" to the VM system assigned managed identity.

When trying to retrieve a secret from the key vault I get the error:

* Connection #0 to host redacted.vault.azure.net left intact
{"error":{"code":"Unauthorized","message":"[BearerReadAccessTokenFailed] Error validating token: 'S2S12005'."}}

The commands I'm using:

ACCESS_TOKEN=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true | jq .access_token)

curl -v 'https://redacted.vault.azure.net/secrets/secret?api-version=2016-10-01' -H "Authorization: Bearer ${ACCESS_TOKEN}"

Output:

*   Trying 192.168.1.100:443...
* TCP_NODELAY set
* Connected to redacted.vault.azure.net (192.168.1.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=vault.azure.net
*  start date: Aug  1 00:09:59 2023 GMT
*  expire date: Jun 27 23:59:59 2024 GMT
*  subjectAltName: host "redacted.vault.azure.net" matched cert's "*.vault.azure.net"
*  issuer: C=US; O=Microsoft Corporation; CN=Microsoft Azure TLS Issuing CA 05
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55b99339d300)
> GET /secrets/secret?api-version=2016-10-01 HTTP/2
> Host: redacted.vault.azure.net
> user-agent: curl/7.68.0
> accept: */*
> authorization: Bearer "redacted"
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 401
< cache-control: no-cache
< pragma: no-cache
< content-length: 111
< content-type: application/json; charset=utf-8
< expires: -1
< www-authenticate: Bearer authorization="https://login.microsoftonline.com/38ae3bcd-9579-4fd4-adda-b42e1495d55a", resource="https://vault.azure.net"
< x-ms-keyvault-region: germanywestcentral
< x-ms-request-id: e8e664e8-7266-476d-8412-844887a779a5
< x-ms-keyvault-service-version: 1.9.950.1
< x-ms-keyvault-network-info: conn_type=PrivateLink;subnet=/subscriptions/redacted/resourcegroups/resourcegroup/providers/microsoft.network/virtualnetworks/vnet-dev/subnets/build;private_endpoint=/subscriptions/redacted/resourceGroups/resourcegroup/providers/Microsoft.Network/privateEndpoints/pep-keyvault-dev;addr=192.168.1.100;act_addr_fam=InterNetworkV6;
< x-content-type-options: nosniff
< strict-transport-security: max-age=31536000;includeSubDomains
< date: Tue, 05 Sep 2023 08:55:54 GMT
<
* Connection #0 to host redacted.vault.azure.net left intact
{"error":{"code":"Unauthorized","message":"[BearerReadAccessTokenFailed] Error validating token: 'S2S12005'."}}
Solution

  • From your Curl requests, I noticed that you used jq .access_token within your ACCESS_TOKEN variable which could be causing the BearerReadAccessTokenFailed error.

    To resolve this you should be able to use the following commands

    The CURL request for the access token:

    • kv_access_token=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true)

    Creating a variable and storing the access token from the previous request:

    • ACCESS_TOKEN=$(jq -jn "$kv_access_token|.access_token")

    Optional echo to see if the access token was stored/retrieved correctly - https://jwt.ms/

    • echo 'The access token is '$ACCESS_TOKEN

    CURL request for how to read a secret from Key Vault:

    • curl -v 'https://vaultName.vault.azure.net/secrets/testSecret?api-version=2016-10-01' -H "Authorization: Bearer ${ACCESS_TOKEN}"

    I hope this helps!