azure-managed-identity

Read Azure key vault secret through MSI in Java

橙三吉。 提交于 2019-12-23 05:15:56
问题 I am trying to read secret in Azure Key Vault through Managed Service Identity (MSI) in Java. I want token to access the key vault through MSI. There are references available for .net to do this but did not find anything in Java. I don't want to do this through Client id/secret key or certificates. I want something in Java that is close to following .net code using Microsoft.Azure.KeyVault; using Microsoft.Azure.Services.AppAuthentication; AzureServiceTokenProvider azureServiceTokenProvider =

Azure Keyvault add Function MSI via ARM

旧时模样 提交于 2019-12-18 16:47:43
问题 I think Managed Service Identity is a great concept and I love keyvault. However: When I use the script using an incremental resource group deployment: Sample is modified for brevity { "type": "Microsoft.KeyVault/vaults", "name": "[parameters('keyvaultName')]", "apiVersion": "2015-06-01", "properties": { "accessPolicies": [ { "objectId": "[reference(parameters('functionAppName'), '2016-08-01', 'Full').identity.principalId]", "permissions": { "keys": [], "secrets": [ "Get" ] } } ] },

MSI Permissions for Graph API

会有一股神秘感。 提交于 2019-12-17 07:40:34
问题 My question is, do we have any documented method of granting a Manage Service Identity permissions to the Graph API as we would with an Azure App Registration in the portal? I was unable to find any Powershell options or ability to manage permissions for the MSI service principal in the Azure Portal or documentation. I found a similar question on MSDN forums, but wanted to make sure there were not any further updates or workarounds that anybody knew of? MSDN Forum Post: https://social.msdn

Surface the application associated to a Managed Service Identity service principal in AAD app registrations

谁都会走 提交于 2019-12-14 02:33:08
问题 I've got a service principal in Azure which was created when i turned on Managed Service Identity for one of my Azure assets. I'd like to grant permissions to this SP using the App Registrations area in the portal (I know I can do it with New-AzureADServiceAppRoleAssignment, but I'd like to create an application in this case). The Service Principal has an associated application whose guid is visible in the Enterprise Applications section of the AAD blade, but that application id isn't visible

Unable to get access to Key Vault using Azure MSI on App Service

我与影子孤独终老i 提交于 2019-12-12 10:43:07
问题 I have enabled Managed Service Identities on an App Service. However, my WebJobs seem unable to access the keys. They report: Tried the following 3 methods to get an access token, but none of them worked. Parameters: Connectionstring: [No connection string specified], Resource: https://vault.azure.net, Authority: . Exception Message: Tried to get token using Managed Service Identity. Unable to connect to the Managed Service Identity (MSI) endpoint. Please check that you are running on an

java.lang.IllegalArgumentException: Cannot create Shared Access Signature unless the Account Key credentials are used by the ServiceClient

﹥>﹥吖頭↗ 提交于 2019-12-11 04:49:05
问题 I am trying to use MSI to access Azure Blob Storage containers to generate shared access signature. But every time i am trying to access , i am getting following error: `java.lang.IllegalArgumentException: Cannot create Shared Access Signature unless the Account Key credentials are used by the ServiceClient.` I dont want to access blob storage container using credentials or AAD. Just want to use MSI, as this is the unique mode that we want to adapt in our application to access Azure resources

Azure Services Authentication Extension default tenant / subscription

﹥>﹥吖頭↗ 提交于 2019-12-10 09:54:19
问题 I'm doing local azure function development for an MSI-enabled application using Visual Studio 2017 v15.6.2 with the Azure Services Authentication Extension installed. The identity I have to work with in the target subscription has access to multiple tenants and subscriptions within those tenants. Before I installed the add-in I was able to use the Azure CLI to set the default subscription/tenant using az account set -subscripton TARGET-SUB-NAME . az account show confirmed that I had selected

Referencing a Managed Service Identity in ARM-template deploy

半城伤御伤魂 提交于 2019-12-03 11:07:12
问题 When deploying a Microsoft.Web resource with the new MSI feature the principleId GUID for the created user is visible after deployment. Screenshot below shows the structure in the ARM-template. What would be the best way to fetch this GUID later in the pipeline to be able to assign access rights in (for instance) Data Lake Store? Is it possible to use any of the existing ARM template functions to do so? 回答1: I just struggled with this myself. The solution that worked for me was found deep in

Referencing a Managed Service Identity in ARM-template deploy

我们两清 提交于 2019-12-03 02:36:54
When deploying a Microsoft.Web resource with the new MSI feature the principleId GUID for the created user is visible after deployment. Screenshot below shows the structure in the ARM-template. What would be the best way to fetch this GUID later in the pipeline to be able to assign access rights in (for instance) Data Lake Store? Is it possible to use any of the existing ARM template functions to do so? I just struggled with this myself. The solution that worked for me was found deep in the comments here . Essentially, you create a variable targeting the resource you are creating with the MSI

Access Key Vault from local Service Fabric cluster with MSI

≯℡__Kan透↙ 提交于 2019-11-30 15:49:11
问题 I want to access the Key Vault from my Service Fabric application via Managed Service Identity (MSI). I have enabled MSI on the virtual machine scale set in the Azure Portal and given it access to my Key Vault resource. This works like a charm up in the cloud. However, I am having problems with my local develop environment. As far as I understand, I can grant myself access to the Key Vault and run az login in Azure CLI. Alas, this doesn't work when running the application in a local Service