Spring-Boot using key vault by manage-identity

Question

I've configured a Managed Identity to use a key vault on my Spring-Boot application inside a VM:

pom.xml

...
<dependency>
   <groupId>com.azure.spring</groupId>
   <artifactId>spring-cloud-azure-starter-keyvault-secrets</artifactId>
   <version>5.13.0</version>
</dependency>
<dependency>
   <groupId>com.azure</groupId>
   <artifactId>azure-identity</artifactId>
   <version>1.14.2</version>
</dependency>
...

application.properties

spring.cloud.azure.keyvault.secret.property-source-enabled=true
spring.cloud.azure.keyvault.secret.property-sources[0].endpoint=https://kvl-portal.vault.azure.net/
spring.cloud.azure.keyvault.secret.property-sources[0].profile.tenant-id=6d8b...
spring.cloud.azure.keyvault.secret.property-sources[0].credential.managed-identity-enabled=true

Using this configuration when the application starts it shows the error:

15:57:55.244 [main] ERROR o.s.boot.SpringApplication - Application run failed java.lang.IllegalStateException: Failed to configure KeyVault property source... Caused by: com.azure.security.keyvault.secrets.implementation.models.KeyVaultErrorException: Status code 403, "{"error":{"code":"Forbidden","message":"Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definitions were changed recently, please observe propagation time.\r\nCaller... eason: null \r\nVault: kvl-portal;location=brazilsouth\r\n","innererror":{"code":"ForbiddenByRbac"}}}"

If I put the client-id from Managed Identity on application.properties:

spring.cloud.azure.keyvault.secret.property-source-enabled=true
spring.cloud.azure.keyvault.secret.property-sources[0].endpoint=https://kvl-portal.vault.azure.net/
spring.cloud.azure.keyvault.secret.property-sources[0].profile.tenant-id=6d8b...
spring.cloud.azure.keyvault.secret.property-sources[0].credential.managed-identity-enabled=true
spring.cloud.azure.keyvault.secret.property-sources[0].credential.client-id=155619f....

Using this configuration when the application starts it shows the error:

Caused by: com.azure.identity.CredentialUnavailableException: Managed Identity authentication is not available.

Is it possible to use Managed Identity to get the key vault secrets on Spring-Boot application deployed on a VM inside Azure?

Answer 1

Caller is not authorized to perform action on resource

The error occurred because the virtual machine does not have the correct permissions to retrieve secrets from the Azure Key Vault.

• To resolve this, assign the Key Vault Secrets User role to the virtual machine's managed identity in the Azure Key Vault.

SecretController :

Replace your secret name at <SecretName> in the code below.

import org.springframework.beans.factory.annotation.Value;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
public class SecretController {

    @Value("${<SecretName>:Secret not found}")
    private String secretValue;

    @GetMapping("/secret")
    public String getSecret() {
        return "Fetched secret: " + secretValue;
    }
}

application.properties :

spring.cloud.azure.keyvault.secret.property-source-enabled=true
spring.cloud.azure.keyvault.secret.property-sources[0].endpoint=https://<KeyVualtName>.vault.azure.net/
spring.cloud.azure.keyvault.secret.property-sources[0].credential.managed-identity-enabled=true

I have enabled the System-assigned Managed Identity on the Azure Virtual Machine as shown below.

I have assigned the Key Vault Secrets Officer role to the user and the Key Vault Secrets User role to the Azure Virtual Machine's Managed Identity.

Virtual machine Output :

I successfully retrieved the secret from Azure Key Vault using the Spring Boot application running inside the Virtual machine as shown below.

Terminal Output :