search

Azure / azure-sdk-for-java

This repository is for active development of the Azure SDK for Java. For consumers of the SDK we recommend visiting our public developer docs at https://docs.microsoft.com/java/azure/ or our versioned developer docs at https://azure.github.io/azure-sdk-for-java.
MIT License
2.3k stars 1.96k forks source link

[BUG] Azure KeyVault JCA library should use managed identity's client_id instead of object_id #39502

Open krishnamraju-pernedi opened 5 months ago

krishnamraju-pernedi commented 5 months ago

Describe the bug I am using Azure KeyVault JCA sdk code to read certificates and keys (keystore). I could retrieve certificates and private keys using service principle. i.,e client_id and client_secret. But the same functionality not working intermittently when using managed identity. After debugging SDK code, I figured it out that following code using object_id to fetch access token. https://github.com/Azure/azure-sdk-for-java/blob/90fa9e4f866d2338fdebc49627f397066697486f/sdk/keyvault/azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/implementation/utils/AccessTokenUtil.java#L166

My observations: Access token request using client_id and object_id is not same. If client_id is passed in the Identity request, it is returning access token for respective UAMI. But object_id is passed in the request, it is ignoring object_id and generating access token for one of the managed identity assigned. When there are more than one managed identity (UAMI) is assigned to resource, then it is generating access token using random UAMI and not using object_id in the query param at all. it is working fine if client_id is being used.

Exception or Stack Trace No errors printed. Access token being generated is not what has been requested.

To Reproduce Steps to reproduce the behavior: 1.Resource should have more than one UAMI assigned.

  1. Make identity request http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01 with object_id as query param to get token
  2. Read JWT token using jwt.io and you can find different UAMI name each time in token details.

Code Snippet Add the code snippet that causes the issue.

Expected Behavior client_id should be used for managed identity instead of object_id

github-actions[bot] commented 5 months ago

@billwert @g2vinay

github-actions[bot] commented 5 months ago

Thank you for your feedback. Tagging and routing to the team member best able to assist.

joshfree commented 5 months ago

@saragluna could you help route this KV JCA github issue from @krishnamraju-pernedi? Thank you 😄

saragluna commented 5 months ago

Thanks @krishnamraju-pernedi for detailed investigation, we'll look into this.

Netyyyy commented 3 months ago

Hi @krishnamraju-pernedi , Sorry for the late reply, but if you use UAMI instead of service principle , please change to use the following argument: -Dazure.keyvault.managed-identity=<object-id-of-your-user-managed-identity>, you can see more info here, thanks

github-actions[bot] commented 3 months ago

Hi @krishnamraju-pernedi. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

krishnamraju-pernedi commented 3 months ago

@Netyyyy I was using object-id of the managed identity as you suggested and problem remained. so I raised Microsoft support request and they suggested to upgrade to workload identities as they no longer support pod identities. So I assume issue is only when using pod identities.

I also assume this library supports only pod identities and not workload identities