Open krishnamraju-pernedi opened 5 months ago
@billwert @g2vinay
Thank you for your feedback. Tagging and routing to the team member best able to assist.
@saragluna could you help route this KV JCA github issue from @krishnamraju-pernedi? Thank you 😄
Thanks @krishnamraju-pernedi for detailed investigation, we'll look into this.
Hi @krishnamraju-pernedi , Sorry for the late reply, but if you use UAMI instead of service principle , please change to use the following argument: -Dazure.keyvault.managed-identity=<object-id-of-your-user-managed-identity>
, you can see more info here, thanks
Hi @krishnamraju-pernedi. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.
@Netyyyy I was using object-id of the managed identity as you suggested and problem remained. so I raised Microsoft support request and they suggested to upgrade to workload identities as they no longer support pod identities. So I assume issue is only when using pod identities.
I also assume this library supports only pod identities and not workload identities
Describe the bug I am using Azure KeyVault JCA sdk code to read certificates and keys (keystore). I could retrieve certificates and private keys using service principle. i.,e client_id and client_secret. But the same functionality not working intermittently when using managed identity. After debugging SDK code, I figured it out that following code using object_id to fetch access token. https://github.com/Azure/azure-sdk-for-java/blob/90fa9e4f866d2338fdebc49627f397066697486f/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/utils/AccessTokenUtil.java#L166
My observations: Access token request using client_id and object_id is not same. If client_id is passed in the Identity request, it is returning access token for respective UAMI. But object_id is passed in the request, it is ignoring object_id and generating access token for one of the managed identity assigned. When there are more than one managed identity (UAMI) is assigned to resource, then it is generating access token using random UAMI and not using object_id in the query param at all. it is working fine if client_id is being used.
Exception or Stack Trace No errors printed. Access token being generated is not what has been requested.
To Reproduce Steps to reproduce the behavior: 1.Resource should have more than one UAMI assigned.
Code Snippet Add the code snippet that causes the issue.
Expected Behavior client_id should be used for managed identity instead of object_id