search

sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.39k stars 537 forks source link

Issue creating a Key in AKV using Cosign tool #3023

Open thangarajav opened 1 year ago

thangarajav commented 1 year ago

I am testing in Azure Devops(ADO), where our Agent are running in AWS(Self hosted Ec2 instance). We have to keep the keys in Azure Key vault. So we use Service Principle ID to access the Azure Key vault. Tasks:

  1. Docker hub login (As our images are in Docker hub for testing)
  2. Cosign Installation in agent(AWS Self hosted Ec2 instance)
  3. AzureCli - To login & to access Azure key vault ( we use Service Principle ID to connect)
  4. Generate Key pairs - ./cosign generate-key-pair --kms azurekms://.vault.azure.net/testkey
  5. Sign the Image using the generated Key which is stored in AKV

  6. Verify the image using the generated Key which is stored in AKV

    But I am getting a below error

    Error: creating key: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to [https://<keyvault>.](https://cosigndemoado.vault.azure.net/keys/testkey23/create?api-version=7.1)[vault.azure.net/keys/testkey23/create?api-version=7.1](http://vault.azure.net/keys/testkey23/create?api-version=7.1): StatusCode=404 -- Original Error: adal: Refresh request failed. Status Code = '404'. Response body: <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd[">](http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd%22%3E)
<html xmlns="http://www.w3.org/1999/xhtml["](http://www.w3.org/1999/xhtml%22) xml:lang="en" lang="en">
<head>
<title>404 - Not Found</title>
</head>
<body>
<h1>404 - Not Found</h1>
</body>
</html>
Endpoint [http://<IP>/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%](http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net)[2Fvault.azure.net](http://2fvault.azure.net/)
main.go:74: error during command execution: creating key: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to [https://<keyvault>](https://cosigndemoado.vault.azure.net/keys/testkey23/create?api-version=7.1)[vault.azure.net/keys/testkey23/create?api-version=7.1](http://vault.azure.net/keys/testkey23/create?api-version=7.1): StatusCode=404 -- Original Error: adal: Refresh request failed. Status Code = '404'. Response body: <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd[">](http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd%22%3E)
<html xmlns="http://www.w3.org/1999/xhtml["](http://www.w3.org/1999/xhtml%22) xml:lang="en" lang="en">
<head>
<title>404 - Not Found</title>
</head>
<body>
<h1>404 - Not Found</h1>
</body>
</html>
Endpoint [http://<IP>/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%](http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net)[2Fvault.azure.net](http://2fvault.azure.net/)
thangarajav commented 1 year ago

I am able to create a keys using Azure cli command form pipeline using same Service principle ID. Whereas I was not able to create using ./cosign generate-key-pair --kms azurekms://.[vault.azure.net/testkey](http://vault.azure.net/testkey)