search

microsoft / azure-load-testing

MIT License
22 stars 2 forks source link

Azure Load Test is not recognized as a trusted resource to bypass Key Vault firewall #117

Closed cathalmchale closed 3 months ago

cathalmchale commented 1 year ago

Describe the bug Azure Load Test can access Key Vault, only if setup to allow access from All public networks. If Key Vault chooses to limit public access to specific vnets, then Load Test can no longer fetch secrets. This is true even when the "allow trusted Microsoft services" option is selected:

image

To Reproduce Steps to reproduce the behavior:

  1. Setup two Key Vault instances - one that allows access to all public networks and one that limits access to specific vnets.
  2. Add an access policy to both Key Vault instances to allow Secret Get - use the same managed identity in both cases.
  3. Create a Load Testing instance. Configure the Identity as User managed and set the identity to the same added to the Key Vault access policy.
  4. Create a test that injects a secret. I set the value to the URL of the more private Key Vault secret.
  5. Run the test - observe that when leave the value pointiing to the more private Key Vault, it fails to start the test, but when change the value to the more public Key Vault it runs successfully.

Expected behavior Should be able to access the more private Key Vault - either by being able to specify a vnet when creating the Load Testing instance, or by having Azure Load Testing be a "trusted Microsoft resource" that can still gain access to the Key Vault.

Screenshots Private vs Public Key Vault. As in steps to repro, the access policies in both Key Vaults are the same, using the same identity. Then the same Load Test is used to trigger a success and a failure, varying only the URL of the Key Vault secret.

image

The more private Key Vault looks like this:

image

image

Additional context Have tried with both User managed and System managed identities.

AB#1665865

Sachid26 commented 1 year ago

Hi @cathalmchale ..currently this is not supported by the service, and we have added this to our backlog. We will report back once we implement this.

karkavi980 commented 1 year ago

Hi @Sachid26 - any update on this feature? Is there any work around?

karkavi980 commented 1 year ago

Hi - Any update on this feature? Is there any work around?

markditianquin commented 12 months ago

Bump... Any update?

denhsu commented 11 months ago

Bump... Any update?

ffurrer2 commented 10 months ago

Bump... Any update?

BlauerPulli commented 10 months ago

Bump... Any update?

sulabh-msft commented 3 months ago

Azure load testing service now supporting Azure keyvaults behind a firewall or a private virtual network.

https://learn.microsoft.com/en-nz/azure/load-testing/how-to-parameterize-load-tests#create-a-secret-in-azure-key-vault

If you restricted access to your Azure key vault by a firewall or virtual networking, follow these steps to grant access to trusted Azure services.

sulabh-msft commented 3 months ago

@Nagarjuna-Vipparthi Can we close the issue now?

karkavi980 commented 3 months ago

Sure

On Mon, Apr 8, 2024, 10:47 Sulabh Upadhyay @.***> wrote:

@Nagarjuna-Vipparthi https://github.com/Nagarjuna-Vipparthi Can we close the issue now?

— Reply to this email directly, view it on GitHub https://github.com/microsoft/azure-load-testing/issues/117#issuecomment-2043322480, or unsubscribe https://github.com/notifications/unsubscribe-auth/AED5OBLQQ6BYGURWCAHDFGLY4LJ27AVCNFSM6AAAAAARXEFFFSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDANBTGMZDENBYGA . You are receiving this because you commented.Message ID: @.***>

Nagarjuna-Vipparthi commented 3 months ago

Requested feature is now supported. Closing the issue.