search

sigstore / cosign

Code signing and transparency for containers and binaries
Apache License 2.0
4.49k stars 547 forks source link

Issue creating a Key in AKV using Cosign tool #3025

Closed thangarajav closed 1 year ago

thangarajav commented 1 year ago

I am testing in Azure Devops(ADO), where our Agent are running in AWS(Self hosted Ec2 instance). We have to keep the keys in Azure Key vault. So we use Service Principle ID to access the Azure Key vault. Tasks:

  1. Docker hub login (As our images are in Docker hub for testing)
  2. Cosign Installation in agent(AWS Selfa hosted Ec2 instance)
  3. AzureCli - To login & to access Azure key vault ( we use Service Principle ID to connect)
  4. Generate Key pairs - ./cosign generate-key-pair --kms azurekms://.vault.azure.net/testkey
  5. Sign the Image using the generated Key which is stored in AKV

  6. Verify the image using the generated Key which is stored in AKV

    But I am getting a below error

    Error: creating key: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to [https://<keyvault>.](https://cosigndemoado.vault.azure.net/keys/testkey23/create?api-version=7.1)[vault.azure.net/keys/testkey23/create?api-version=7.1](http://vault.azure.net/keys/testkey23/create?api-version=7.1): StatusCode=404 -- Original Error: adal: Refresh request failed. Status Code = '404'. Response body: <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd[">](http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd%22%3E)
<html xmlns="http://www.w3.org/1999/xhtml["](http://www.w3.org/1999/xhtml%22) xml:lang="en" lang="en">
<head>
<title>404 - Not Found</title>
</head>
<body>
<h1>404 - Not Found</h1>
</body>
</html>
Endpoint [http://<IP>/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%](http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net)[2Fvault.azure.net](http://2fvault.azure.net/)
main.go:74: error during command execution: creating key: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to [https://<keyvault>](https://cosigndemoado.vault.azure.net/keys/testkey23/create?api-version=7.1)[vault.azure.net/keys/testkey23/create?api-version=7.1](http://vault.azure.net/keys/testkey23/create?api-version=7.1): StatusCode=404 -- Original Error: adal: Refresh request failed. Status Code = '404'. Response body: <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd[">](http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd%22%3E)
<html xmlns="http://www.w3.org/1999/xhtml["](http://www.w3.org/1999/xhtml%22) xml:lang="en" lang="en">
<head>
<title>404 - Not Found</title>
</head>
<body>
<h1>404 - Not Found</h1>
</body>
</html>
Endpoint [http://<IP>/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%](http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net)[2Fvault.azure.net](http://2fvault.azure.net/)
znewman01 commented 1 year ago

See https://github.com/sigstore/cosign/issues/3023