Azure Key Vault- How to use AzureCliCredential first when using spring.cloud.azure.keyvault.secret.property-sources[0].endpoint about azure-sdk-for-java HOT 33 OPEN

I've got it working using a custom/changed version KeyVaultEnvironmentPostProcessor, setting it to use CLI, using a custom prefix for the properties and adding it to spring.factories in META-INF. It's a nasty hack but best available right now. Loading takes ~10s.

from azure-sdk-for-java.

Can we confirm then that this is a bug. The fact that spring.cloud.azure.keyvault.secret.property-sources does not adhere to DEFAULT_TOKEN_CREDENTIAL_BEAN_NAME

from azure-sdk-for-java.

@lavercr, this is because the environment processor at an earlier stage, before the default azure credential bean's initialization. To change this behavior, we need to do some refactor, but users need to register the DAC bean in another way.

from azure-sdk-for-java.

Not yet, but your contributions are welcome if you are interested

from azure-sdk-for-java.

using :
springboot 3.2.2
sring-cloud-azure-dependencies 5.9.1
JavaSE-17 (OpenJDK 21.0.1)
az cli 2.57.0
running on MacOS 14.3

from azure-sdk-for-java.

logs

 [2m2024-02-28T11:46:45.153-05:00 [0;39m  [32m INFO [0;39m  [35m34603 [0;39m  [2m--- [0;39m  [2m[           main] [0;39m  [2m [0;39m [36mm.p.s.SpringbootAzureKeyvaultApplication [0;39m  [2m: [0;39m Starting SpringbootAzureKeyvaultApplication using Java 21.0.1 with PID 34603 (/Users/lavercr/src/springboot-azure-keyvault/target/classes started by lavercr in /Users/lavercr/src/springboot-azure-keyvault)
 [2m2024-02-28T11:46:45.154-05:00 [0;39m  [32m INFO [0;39m  [35m34603 [0;39m  [2m--- [0;39m  [2m[           main] [0;39m  [2m [0;39m [36mm.p.s.SpringbootAzureKeyvaultApplication [0;39m  [2m: [0;39m No active profile set, falling back to 1 default profile: "default"
 [2m2024-02-28T11:46:45.642-05:00 [0;39m  [32m INFO [0;39m  [35m34603 [0;39m  [2m--- [0;39m  [2m[           main] [0;39m  [2m [0;39m [36mAbstractAzureServiceClientBuilderFactory [0;39m  [2m: [0;39m Will configure the default credential of type DefaultAzureCredential for class com.azure.identity.DefaultAzureCredentialBuilder.
 [2m2024-02-28T11:46:45.710-05:00 [0;39m  [32m INFO [0;39m  [35m34603 [0;39m  [2m--- [0;39m  [2m[           main] [0;39m  [2m [0;39m [36mm.p.s.SpringbootAzureKeyvaultApplication [0;39m  [2m: [0;39m Started **SpringbootAzureKeyvaultApplication in 141.667 seconds (process running for 142.235)**

from azure-sdk-for-java.

Hi @lavercr thanks for reaching out to us via this github issue. @saragluna @backwind1233 could you please follow up?

/cc @vcolin7

from azure-sdk-for-java.

Hi @lavercr , thanks for reaching out, Could help provide more info about how to use AzureCliCredential directly?

from azure-sdk-for-java.

If I create my own secretClient using AzureCliCredentialBuilder I can connect and pull passwords, but this way I have to write all the code. I would like to keep to the one liner that spring.cloud.azure.keyvault.secret.property-sources[0].endpoint gives us. This loads all the secrets and makes them available to the spring beans right away. If I do it myself it is more code, and the beans with secrets have to depend on this bean loading first. That gets messy quick.

@Configuration

public class AzureKeyVaultConfig {

    @Value("${spring.cloud.azure.keyvault.secret.uri}")
    private String keyVaultUri;

    @Bean
    SecretClient secretClient() {
        
        AzureCliCredential cliCredential = new AzureCliCredentialBuilder().build();

        // Azure SDK client builders accept the credential as a parameter.
        return new SecretClientBuilder()
           .vaultUrl(keyVaultUri)
           .credential(cliCredential)
           .buildClient();
         
    }
    
  
}

from azure-sdk-for-java.

Hi @lavercr , we don't support use AzureCliCredential directly, but you can add this code to only use AzureCliCredential for authentication.

    @Bean(name = DEFAULT_TOKEN_CREDENTIAL_BEAN_NAME)
    TokenCredential tokenCredential( ) {
        return new AzureCliCredentialBuilder().build();
    }

from azure-sdk-for-java.

Hi, I don't understand your solution. Does this need a specific bean name ?
I put a dummy name in and it still took a long time to respond.

from azure-sdk-for-java.

can you provide a more complete example that uses

spring.cloud.azure.keyvault.secret.property-sources[0].endpoint

and

  @Bean(name = DEFAULT_TOKEN_CREDENTIAL_BEAN_NAME)
    TokenCredential tokenCredential( ) {
        return new AzureCliCredentialBuilder().build();
    }

from azure-sdk-for-java.

Hi @lavercr , could you help provide your minimal project?

from azure-sdk-for-java.

can you provide a more complete example that uses

spring.cloud.azure.keyvault.secret.property-sources[0].endpoint

and

  @Bean(name = DEFAULT_TOKEN_CREDENTIAL_BEAN_NAME)
    TokenCredential tokenCredential( ) {
        return new AzureCliCredentialBuilder().build();
    }

can you provide me an example with this working. where spring.cloud.azure.keyvault.secret.property-sources uses TokenCredential tokenCredential( ) {

from azure-sdk-for-java.

create a springboot application with required azure dependencies

	<dependencies>
		<dependency>
			<groupId>com.azure.spring</groupId>
			<artifactId>spring-cloud-azure-starter-keyvault</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-test</artifactId>
			<scope>test</scope>
		</dependency>
	</dependencies>
	<dependencyManagement>
		<dependencies>
			<dependency>
				<groupId>com.azure.spring</groupId>
				<artifactId>spring-cloud-azure-dependencies</artifactId>
				<version>5.9.1</version>
				<type>pom</type>
				<scope>import</scope>
			</dependency>
		</dependencies>
	</dependencyManagement>

add this entry into your application.properties file that points to your working key vault
spring.cloud.azure.keyvault.secret.property-sources[0].endpoint=[Your key vault url]

Add a secret to your vault called TestSecret

Setup your main class like this

package com.mbc.poc.springbootazurekeyvault;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class SpringbootAzureKeyvaultApplication implements CommandLineRunner {

    @Value("${TestSecret}")
    private String testSecret;

    public static void main(String[] args) {
        SpringApplication.run(SpringbootAzureKeyvaultApplication.class, args);
    }

    @Override
    public void run(String... args) {

        System.out.println("TestSecret: " + testSecret);
    }
    
}

Determine how to use AzureCliCredentialBuilder in the authentication options first

from azure-sdk-for-java.

create a springboot application with required azure dependencies

	<dependencies>
		<dependency>
			<groupId>com.azure.spring</groupId>
			<artifactId>spring-cloud-azure-starter-keyvault</artifactId>
		</dependency>
		<dependency>
			<groupId>org.springframework.boot</groupId>
			<artifactId>spring-boot-starter-test</artifactId>
			<scope>test</scope>
		</dependency>
	</dependencies>
	<dependencyManagement>
		<dependencies>
			<dependency>
				<groupId>com.azure.spring</groupId>
				<artifactId>spring-cloud-azure-dependencies</artifactId>
				<version>5.9.1</version>
				<type>pom</type>
				<scope>import</scope>
			</dependency>
		</dependencies>
	</dependencyManagement>

add this entry into your application.properties file that points to your working key vault spring.cloud.azure.keyvault.secret.property-sources[0].endpoint=[Your key vault url]

Add a secret to your vault called TestSecret

Setup your main class like this

package com.mbc.poc.springbootazurekeyvault;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;

@SpringBootApplication
public class SpringbootAzureKeyvaultApplication implements CommandLineRunner {

    @Value("${TestSecret}")
    private String testSecret;

    public static void main(String[] args) {
        SpringApplication.run(SpringbootAzureKeyvaultApplication.class, args);
    }

    @Override
    public void run(String... args) {

        System.out.println("TestSecret: " + testSecret);
    }
    
}

Determine how to use AzureCliCredentialBuilder in the authentication options first

OK, I update your codes, hope this can help

package com.mbc.poc.springbootazurekeyvault;

import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import static com.azure.spring.cloud.autoconfigure.implementation.context.AzureContextUtils.DEFAULT_TOKEN_CREDENTIAL_BEAN_NAME;

@SpringBootApplication
public class SpringbootAzureKeyvaultApplication implements CommandLineRunner {

    @Value("${TestSecret}")
    private String testSecret;

    public static void main(String[] args) {
        SpringApplication.run(SpringbootAzureKeyvaultApplication.class, args);
    }

    @Override
    public void run(String... args) {

        System.out.println("TestSecret: " + testSecret);
    }
    
    @Bean(name = DEFAULT_TOKEN_CREDENTIAL_BEAN_NAME)
    TokenCredential tokenCredential( ) {
        return new AzureCliCredentialBuilder().build();
    }
}

from azure-sdk-for-java.

This doesn't work for myself. We have a similar issue where development is done on Azure VMs and would like to override the Default to CLI so that property placeholders also work.

Setting the SecretClientBuilder bean to CLI works inside Application but then the KV EnvironmentPostProcessor just uses the Default.

from azure-sdk-for-java.

I agree, this still seems to be using the default. I will see if I can find any logging category I can turn on.

Started SpringbootAzureKeyvaultApplication in 148.961 seconds (process running for 149.767)

from azure-sdk-for-java.

Unable to find any logging I can turn on to give clarity to what is delaying startup. I am still assuming it is because it trys AzureCliCredential last to connect to azure key vault.

from azure-sdk-for-java.

I believe there is a bug that needs fixing
spring.cloud.azure.keyvault.secret.property-sources does not adhere to

    @Bean(name = DEFAULT_TOKEN_CREDENTIAL_BEAN_NAME)
    TokenCredential tokenCredential( ) {
        return new AzureCliCredentialBuilder().build();
    }

from azure-sdk-for-java.

any update?

from azure-sdk-for-java.

sorry for the late response and we will take a look about that

from azure-sdk-for-java.

we need to do some refactor..
So there may be a fix coming our way ?

from azure-sdk-for-java.

we need to be able to control the order.

from azure-sdk-for-java.

@saragluna Can I have an update for this fix?

from azure-sdk-for-java.

Sorry, this update requires code refactoring, which we need more time to discuss.

from azure-sdk-for-java.

Do you have an update? This is going to be critical for our business unit in the next few months.

from azure-sdk-for-java.

any possible way to get more frequent updates? or are you able to give me a patch to work around this issue ?

from azure-sdk-for-java.

Okay. I get it. I will have to live with it or create a bandage.

from azure-sdk-for-java.

@Netyyyy I have been asked for a date of fix. Please provide. This issue is holding up a security compliancy issue at our company. If there is another place or contact we can reach out to so we can get this fixed please let me know.
Thank you

from azure-sdk-for-java.

For anyone not understanding what this is about. I am trying to get this solution to work for us.

https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault#use-spring-key-vault-propertysource

from azure-sdk-for-java.

Hi @lavercr, sorry but we can't guarantee a date for the fix, but you could create a support tickect and it will help us prioritize this issue.

from azure-sdk-for-java.

okay, do you have a link to create the support ticket, or do you mean go through some contract we have in our organization ?

from azure-sdk-for-java.