1

I am new to Azure. I want to use Azure KeyVault to store secrets like passwords. I have successfully created All steps which mentioned in Microsoft website. And also able to get secrets (passwords from KeyVault) in our local environment by using Springboot application.properties .

But getting 403 Access denied error when I tried the same in Azure Cloud. It is not generated in local tomcat server. Please suggest me to resolve this issue.

Expected password, but getting 403.

Rex5
  • 771
  • 9
  • 23
surendra tomar
  • 47
  • 1
  • 7
  • application.properties -> azure.keyvault.client-id=XXX azure.keyvault.client-key=XXX azure.keyvault.uri=https://XXX/ – surendra tomar Aug 01 '19 at 03:54
  • Does your VM/Resource has access to KeyVault? If not you have to look into " managed service identity" – Imran Arshad Aug 01 '19 at 05:01
  • I do not have "managed service identity" , but without this my spring boot application is working fine in locally. And getting secrets as well in local environment. – surendra tomar Aug 01 '19 at 06:20
  • the reason it may be working because you may have signed into your Azure Account locally and your IDE lets you bring the data since you are already authenticated. – Imran Arshad Aug 01 '19 at 06:58
  • I tried the same with local tomcat standalone server without using IDE and it is working on that but not working on Azure cloud. So Is managed Identity must for KeyVault? – surendra tomar Aug 01 '19 at 07:16
  • @surendratomar Which document did you refer to? – Tony Ju Aug 01 '19 at 08:00
  • @Caiyi Document link - https://learn.microsoft.com/en-us/java/azure/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault?view=azure-java-stable – surendra tomar Aug 01 '19 at 08:30
  • @surendratomar Did Azure Cloud refer to azure web app? – Tony Ju Aug 02 '19 at 00:53
  • @surendratomar I deployed my app to azure web app and can get the secret successfully. – Tony Ju Aug 02 '19 at 08:31

2 Answers2

1

You might need to

  1. Enable system-assigned managed identity on an existing VM
  2. Grant your VM access to a Secret stored in a Key Vault
  3. Use Springboot key vault dependencies to get the secret.
Sudharsan Sivasankaran
  • 5,603
  • 23
  • 19
1

In PowerShell run these commands to verify if key vault has right access permissions.

  • Get-AzureRmKeyVault -VaultName check what objectIds you see
  • Get-AzureRmADServicePrincipal -ObjectId check if your service's service principle (from AAD) is listed there.

you can also check out this link which i think may help you.

PraveenLearnsEveryday
  • 595
  • 1
  • 5
  • 13