search

Azure / azure-sdk-for-java

This repository is for active development of the Azure SDK for Java. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/java/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-java.
MIT License
2.31k stars 1.96k forks source link

Not able to use user assigned managed identity while using spring-azure-cloud-appconfiguration-web dependency #36760

Closed Tri16 closed 11 months ago

Tri16 commented 1 year ago

Hi, I am trying to connect my local springboot application(inside azure VM) with azure app configuration with user-assigned managed identity using following dependency

<dependency>
    <groupId>com.azure.spring</groupId>
    <artifactId>spring-cloud-azure-feature-management-web</artifactId>
    <version>4.10.0</version>
</dependency>
<dependency>
    <groupId>com.azure.spring</groupId>
    <artifactId>spring-cloud-azure-appconfiguration-config-web</artifactId>
    <version>4.10.0</version>
</dependency>

and have provided following bootstrap.properties

spring.cloud.azure.appconfiguration.stores[0].endpoint=<endpoint of app config>
spring.cloud.azure.appconfiguration.stores[0].managed-identity.client-id=< user-assigned-managed-identity client-id>

and on application start up getting following error:

2023-09-14 05:49:36.833 DEBUG 12032 --- [           main] c.azure.identity.EnvironmentCredential   : Azure Identity => Found the following environment variables: 
2023-09-14 05:49:36.874 DEBUG 12032 --- [           main] c.azure.identity.EnvironmentCredential   : Azure Identity => ERROR in EnvironmentCredential: Missing required environment variable AZURE_CLIENT_ID
2023-09-14 05:49:37.075 DEBUG 12032 --- [           main] c.a.identity.ManagedIdentityCredential   : Azure Identity => Found the following environment variables: 
2023-09-14 05:49:37.077 DEBUG 12032 --- [           main] c.a.identity.SharedTokenCacheCredential  : Azure Identity => Found the following environment variables: 

  .   ____          _            __ _ _
 /\\ / ___'_ __ _ _(_)_ __  __ _ \ \ \ \
( ( )\___ | '_ | '_| | '_ \/ _` | \ \ \ \
 \\/  ___)| |_)| | | | | || (_| |  ) ) ) )
  '  |____| .__|_| |_|_| |_\__, | / / / /
 =========|_|==============|___/=/_/_/_/
 :: Spring Boot ::                (v2.6.9)

2023-09-14 05:49:37.313 DEBUG 12032 --- [           main] .f.AbstractAzureHttpClientBuilderFactory : No HTTP retry properties available.
2023-09-14 05:49:37.314 DEBUG 12032 --- [           main] s.c.c.i.c.AzureHttpProxyOptionsConverter : Proxy hostname or port is not set.
2023-09-14 05:49:37.314 DEBUG 12032 --- [           main] .f.AbstractAzureHttpClientBuilderFactory : No HTTP proxy properties available.
2023-09-14 05:49:37.316 DEBUG 12032 --- [           main] AbstractAzureServiceClientBuilderFactory : No authentication credential configured for class ConfigurationClientBuilder.
2023-09-14 05:49:37.316  INFO 12032 --- [           main] AbstractAzureServiceClientBuilderFactory : Will configure the default credential of type DefaultAzureCredential for class com.azure.data.appconfiguration.ConfigurationClientBuilder.
2023-09-14 05:49:37.326 DEBUG 12032 --- [           main] c.a.core.implementation.util.Providers   : Using com.azure.core.http.netty.NettyAsyncHttpClientProvider as the default com.azure.core.http.HttpClientProvider.
2023-09-14 05:49:37.579 DEBUG 12032 --- [           main] .i.AppConfigurationReplicaClientsBuilder : Connecting to https://armtestac.azconfig.io using Azure System Assigned Identity or Azure User Assigned Identity.
2023-09-14 05:49:37.582 DEBUG 12032 --- [           main] c.a.identity.ManagedIdentityCredential   : Azure Identity => Found the following environment variables: 
2023-09-14 05:49:39.649 DEBUG 12032 --- [       Thread-2] c.a.c.i.ReflectionSerializable           : XmlSerializable serialization and deserialization isn't supported. If it is required add a dependency of 'com.azure:azure-xml', or another dependencies which include 'com.azure:azure-xml' as a transitive dependency. If your application runs as expected this informational message can be ignored.
2023-09-14 05:49:39.683  INFO 12032 --- [       Thread-2] c.a.identity.ManagedIdentityCredential   : Azure Identity => Managed Identity environment: AZURE VM IMDS ENDPOINT
2023-09-14 05:49:39.683  INFO 12032 --- [       Thread-2] c.a.identity.ManagedIdentityCredential   : Azure Identity => getToken() result for scopes [https://armtestac.azconfig.io/.default]: SUCCESS
2023-09-14 05:49:39.684  INFO 12032 --- [           main] c.a.c.implementation.AccessTokenCache    : {"az.sdk.message":"Acquired a new access token."}
2023-09-14 05:49:39.764 ERROR 12032 --- [           main] c.a.c.i.http.rest.RestProxyBase          : Status code 403, (empty body)

com.azure.core.exception.HttpResponseException: Status code 403, (empty body)
    at com.azure.core.implementation.http.rest.RestProxyBase.instantiateUnexpectedException(RestProxyBase.java:337) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.implementation.http.rest.SyncRestProxy.ensureExpectedStatus(SyncRestProxy.java:125) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.implementation.http.rest.SyncRestProxy.handleRestReturnType(SyncRestProxy.java:213) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.implementation.http.rest.SyncRestProxy.invoke(SyncRestProxy.java:81) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.implementation.http.rest.RestProxyBase.invoke(RestProxyBase.java:109) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.http.rest.RestProxy.invoke(RestProxy.java:91) ~[azure-core-1.41.0.jar:1.41.0]
    at jdk.proxy2/jdk.proxy2.$Proxy38.listKeyValues(Unknown Source) ~[na:na]
    at com.azure.data.appconfiguration.implementation.ConfigurationClientImpl.listConfigurationSettingsSinglePage(ConfigurationClientImpl.java:747) ~[azure-data-appconfiguration-1.4.7.jar:1.4.7]
    at com.azure.data.appconfiguration.implementation.ConfigurationClientImpl.lambda$listConfigurationSettings$24(ConfigurationClientImpl.java:616) ~[azure-data-appconfiguration-1.4.7.jar:1.4.7]
    at com.azure.core.http.rest.PagedIterable.lambda$new$1(PagedIterable.java:158) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.util.paging.ContinuablePagedByIteratorBase.requestPage(ContinuablePagedByIteratorBase.java:104) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.util.paging.ContinuablePagedByItemIterable$ContinuablePagedByItemIterator.<init>(ContinuablePagedByItemIterable.java:83) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.util.paging.ContinuablePagedByItemIterable.iterator(ContinuablePagedByItemIterable.java:58) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.util.paging.ContinuablePagedIterable.iterator(ContinuablePagedIterable.java:141) ~[azure-core-1.41.0.jar:1.41.0]
    at java.base/java.lang.Iterable.forEach(Iterable.java:74) ~[na:na]
    at com.azure.spring.cloud.appconfiguration.config.implementation.AppConfigurationReplicaClient.listSettings(AppConfigurationReplicaClient.java:125) ~[spring-cloud-azure-appconfiguration-config-4.10.0.jar:4.10.0]
    at com.azure.spring.cloud.appconfiguration.config.implementation.AppConfigurationFeatureManagementPropertySource.initProperties(AppConfigurationFeatureManagementPropertySource.java:99) ~[spring-cloud-azure-appconfiguration-config-4.10.0.jar:4.10.0]
    at com.azure.spring.cloud.appconfiguration.config.implementation.AppConfigurationPropertySourceLocator.create(AppConfigurationPropertySourceLocator.java:266) ~[spring-cloud-azure-appconfiguration-config-4.10.0.jar:4.10.0]
    at com.azure.spring.cloud.appconfiguration.config.implementation.AppConfigurationPropertySourceLocator.locate(AppConfigurationPropertySourceLocator.java:126) ~[spring-cloud-azure-appconfiguration-config-4.10.0.jar:4.10.0]
    at org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:51) ~[spring-cloud-context-3.1.6.jar:3.1.6]
    at org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:47) ~[spring-cloud-context-3.1.6.jar:3.1.6]
    at org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.initialize(PropertySourceBootstrapConfiguration.java:95) ~[spring-cloud-context-3.1.6.jar:3.1.6]
    at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:618) ~[spring-boot-2.6.9.jar:2.6.9]
    at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:385) ~[spring-boot-2.6.9.jar:2.6.9]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:306) ~[spring-boot-2.6.9.jar:2.6.9]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1317) ~[spring-boot-2.6.9.jar:2.6.9]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1306) ~[spring-boot-2.6.9.jar:2.6.9]
    at com.tcs.isn.Application.main(Application.java:25) ~[classes/:na]

2023-09-14 05:49:39.771 ERROR 12032 --- [           main] c.a.c.i.http.rest.RestProxyBase          : Status code 403, (empty body)

com.azure.core.exception.HttpResponseException: Status code 403, (empty body)
    at com.azure.core.implementation.http.rest.RestProxyBase.instantiateUnexpectedException(RestProxyBase.java:337) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.implementation.http.rest.SyncRestProxy.ensureExpectedStatus(SyncRestProxy.java:125) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.implementation.http.rest.SyncRestProxy.handleRestReturnType(SyncRestProxy.java:213) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.implementation.http.rest.SyncRestProxy.invoke(SyncRestProxy.java:81) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.implementation.http.rest.RestProxyBase.invoke(RestProxyBase.java:109) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.http.rest.RestProxy.invoke(RestProxy.java:91) ~[azure-core-1.41.0.jar:1.41.0]
    at jdk.proxy2/jdk.proxy2.$Proxy38.listKeyValues(Unknown Source) ~[na:na]
    at com.azure.data.appconfiguration.implementation.ConfigurationClientImpl.listConfigurationSettingsSinglePage(ConfigurationClientImpl.java:747) ~[azure-data-appconfiguration-1.4.7.jar:1.4.7]
    at com.azure.data.appconfiguration.implementation.ConfigurationClientImpl.lambda$listConfigurationSettings$24(ConfigurationClientImpl.java:616) ~[azure-data-appconfiguration-1.4.7.jar:1.4.7]
    at com.azure.core.http.rest.PagedIterable.lambda$new$1(PagedIterable.java:158) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.util.paging.ContinuablePagedByIteratorBase.requestPage(ContinuablePagedByIteratorBase.java:104) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.util.paging.ContinuablePagedByItemIterable$ContinuablePagedByItemIterator.<init>(ContinuablePagedByItemIterable.java:83) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.util.paging.ContinuablePagedByItemIterable.iterator(ContinuablePagedByItemIterable.java:58) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.util.paging.ContinuablePagedIterable.iterator(ContinuablePagedIterable.java:141) ~[azure-core-1.41.0.jar:1.41.0]
    at java.base/java.lang.Iterable.forEach(Iterable.java:74) ~[na:na]
    at com.azure.spring.cloud.appconfiguration.config.implementation.AppConfigurationReplicaClient.listSettings(AppConfigurationReplicaClient.java:125) ~[spring-cloud-azure-appconfiguration-config-4.10.0.jar:4.10.0]
    at com.azure.spring.cloud.appconfiguration.config.implementation.AppConfigurationFeatureManagementPropertySource.initProperties(AppConfigurationFeatureManagementPropertySource.java:99) ~[spring-cloud-azure-appconfiguration-config-4.10.0.jar:4.10.0]
    at com.azure.spring.cloud.appconfiguration.config.implementation.AppConfigurationPropertySourceLocator.create(AppConfigurationPropertySourceLocator.java:266) ~[spring-cloud-azure-appconfiguration-config-4.10.0.jar:4.10.0]
    at com.azure.spring.cloud.appconfiguration.config.implementation.AppConfigurationPropertySourceLocator.locate(AppConfigurationPropertySourceLocator.java:126) ~[spring-cloud-azure-appconfiguration-config-4.10.0.jar:4.10.0]
    at org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:51) ~[spring-cloud-context-3.1.6.jar:3.1.6]
    at org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:47) ~[spring-cloud-context-3.1.6.jar:3.1.6]
    at org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.initialize(PropertySourceBootstrapConfiguration.java:95) ~[spring-cloud-context-3.1.6.jar:3.1.6]
    at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:618) ~[spring-boot-2.6.9.jar:2.6.9]
    at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:385) ~[spring-boot-2.6.9.jar:2.6.9]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:306) ~[spring-boot-2.6.9.jar:2.6.9]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1317) ~[spring-boot-2.6.9.jar:2.6.9]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1306) ~[spring-boot-2.6.9.jar:2.6.9]
    at com.tcs.isn.Application.main(Application.java:25) ~[classes/:na]

2023-09-14 05:49:39.772 ERROR 12032 --- [           main] .i.AppConfigurationPropertySourceLocator : Fail fast is set and there was an error reading configuration from Azure App Configuration store https://armktestacs.azconfig.io
2023-09-14 05:49:41.689 ERROR 12032 --- [           main] o.s.boot.SpringApplication               : Application run failed

java.lang.RuntimeException: Failed to generate property sources for https://armktestacs.azconfig.io
    at com.azure.spring.cloud.appconfiguration.config.implementation.AppConfigurationPropertySourceLocator.failedToGeneratePropertySource(AppConfigurationPropertySourceLocator.java:236) ~[spring-cloud-azure-appconfiguration-config-4.10.0.jar:4.10.0]
    at com.azure.spring.cloud.appconfiguration.config.implementation.AppConfigurationPropertySourceLocator.locate(AppConfigurationPropertySourceLocator.java:137) ~[spring-cloud-azure-appconfiguration-config-4.10.0.jar:4.10.0]
    at org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:51) ~[spring-cloud-context-3.1.6.jar:3.1.6]
    at org.springframework.cloud.bootstrap.config.PropertySourceLocator.locateCollection(PropertySourceLocator.java:47) ~[spring-cloud-context-3.1.6.jar:3.1.6]
    at org.springframework.cloud.bootstrap.config.PropertySourceBootstrapConfiguration.initialize(PropertySourceBootstrapConfiguration.java:95) ~[spring-cloud-context-3.1.6.jar:3.1.6]
    at org.springframework.boot.SpringApplication.applyInitializers(SpringApplication.java:618) ~[spring-boot-2.6.9.jar:2.6.9]
    at org.springframework.boot.SpringApplication.prepareContext(SpringApplication.java:385) ~[spring-boot-2.6.9.jar:2.6.9]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:306) ~[spring-boot-2.6.9.jar:2.6.9]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1317) ~[spring-boot-2.6.9.jar:2.6.9]
    at org.springframework.boot.SpringApplication.run(SpringApplication.java:1306) ~[spring-boot-2.6.9.jar:2.6.9]
    at com.tcs.isn.Application.main(Application.java:25) ~[classes/:na]
Caused by: com.azure.core.exception.HttpResponseException: Status code 403, (empty body)
    at com.azure.core.implementation.http.rest.RestProxyBase.instantiateUnexpectedException(RestProxyBase.java:337) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.implementation.http.rest.SyncRestProxy.ensureExpectedStatus(SyncRestProxy.java:125) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.implementation.http.rest.SyncRestProxy.handleRestReturnType(SyncRestProxy.java:213) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.implementation.http.rest.SyncRestProxy.invoke(SyncRestProxy.java:81) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.implementation.http.rest.RestProxyBase.invoke(RestProxyBase.java:109) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.http.rest.RestProxy.invoke(RestProxy.java:91) ~[azure-core-1.41.0.jar:1.41.0]
    at jdk.proxy2/jdk.proxy2.$Proxy38.listKeyValues(Unknown Source) ~[na:na]
    at com.azure.data.appconfiguration.implementation.ConfigurationClientImpl.listConfigurationSettingsSinglePage(ConfigurationClientImpl.java:747) ~[azure-data-appconfiguration-1.4.7.jar:1.4.7]
    at com.azure.data.appconfiguration.implementation.ConfigurationClientImpl.lambda$listConfigurationSettings$24(ConfigurationClientImpl.java:616) ~[azure-data-appconfiguration-1.4.7.jar:1.4.7]
    at com.azure.core.http.rest.PagedIterable.lambda$new$1(PagedIterable.java:158) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.util.paging.ContinuablePagedByIteratorBase.requestPage(ContinuablePagedByIteratorBase.java:104) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.util.paging.ContinuablePagedByItemIterable$ContinuablePagedByItemIterator.<init>(ContinuablePagedByItemIterable.java:83) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.util.paging.ContinuablePagedByItemIterable.iterator(ContinuablePagedByItemIterable.java:58) ~[azure-core-1.41.0.jar:1.41.0]
    at com.azure.core.util.paging.ContinuablePagedIterable.iterator(ContinuablePagedIterable.java:141) ~[azure-core-1.41.0.jar:1.41.0]
    at java.base/java.lang.Iterable.forEach(Iterable.java:74) ~[na:na]
    at com.azure.spring.cloud.appconfiguration.config.implementation.AppConfigurationReplicaClient.listSettings(AppConfigurationReplicaClient.java:125) ~[spring-cloud-azure-appconfiguration-config-4.10.0.jar:4.10.0]
    at com.azure.spring.cloud.appconfiguration.config.implementation.AppConfigurationFeatureManagementPropertySource.initProperties(AppConfigurationFeatureManagementPropertySource.java:99) ~[spring-cloud-azure-appconfiguration-config-4.10.0.jar:4.10.0]
    at com.azure.spring.cloud.appconfiguration.config.implementation.AppConfigurationPropertySourceLocator.create(AppConfigurationPropertySourceLocator.java:266) ~[spring-cloud-azure-appconfiguration-config-4.10.0.jar:4.10.0]
    at com.azure.spring.cloud.appconfiguration.config.implementation.AppConfigurationPropertySourceLocator.locate(AppConfigurationPropertySourceLocator.java:126) ~[spring-cloud-azure-appconfiguration-config-4.10.0.jar:4.10.0]
    ... 9 common frames omitted

Please let me know what I am missing, I have verified that the configuration are correctly done on azure portal, regarding permissions to app config

joshfree commented 1 year ago

@saragluna could you please follow up with @Tri16

Netyyyy commented 1 year ago

Hi @mrm9084 , please take a look

saragluna commented 1 year ago

See https://github.com/microsoft/spring-cloud-azure/issues/1060#issuecomment-1719760468.

Tri16 commented 1 year ago

Hi, I also tried with below property, but it doesn't work and gives the same error spring.cloud.azure.appconfiguration.managed-identity.client-id=[client-id]

https://github.com/Azure/azure-sdk-for-java/tree/main/sdk/spring/spring-cloud-azure-starter-appconfiguration-config#use-managed-identity-to-access-app-configuration

Tri16 commented 11 months ago

Hi @mrm9084 , please let me know if there is some mistake that I am making, as this is urgent and I'm stuck because of it

mrm9084 commented 11 months ago

@Tri16, looking at this doc here https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/authentication#authenticate-with-azure-active-directory, it looks like you need both of these properties set.

spring.cloud.azure:
  credential:
    managed-identity-enabled: true
    client-id: ${AZURE_CLIENT_ID}
Tri16 commented 11 months ago

@Tri16, looking at this doc here https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/authentication#authenticate-with-azure-active-directory, it looks like you need both of these properties set.

spring.cloud.azure:
  credential:
    managed-identity-enabled: true
    client-id: ${AZURE_CLIENT_ID}

Thanks, it worked!