Azure Key Vault- How to use AzureCliCredential first when using spring.cloud.azure.keyvault.secret.property-sources[0].endpoint #38995
Comments
github-actions
bot
added
azure-spring
|
using : |
|
logs |
|
Hi @lavercr thanks for reaching out to us via this github issue. @saragluna @backwind1233 could you please follow up? /cc @vcolin7 |
|
Hi @lavercr , thanks for reaching out, Could help provide more info about how to use |
|
If I create my own secretClient using AzureCliCredentialBuilder I can connect and pull passwords, but this way I have to write all the code. I would like to keep to the one liner that spring.cloud.azure.keyvault.secret.property-sources[0].endpoint gives us. This loads all the secrets and makes them available to the spring beans right away. If I do it myself it is more code, and the beans with secrets have to depend on this bean loading first. That gets messy quick. |
|
Hi @lavercr , we don't support use @Bean(name = DEFAULT_TOKEN_CREDENTIAL_BEAN_NAME)
TokenCredential tokenCredential( ) {
return new AzureCliCredentialBuilder().build();
} |
Netyyyy
removed
the
needs-team-triage
github-actions
bot
added
the
needs-team-attention
|
Hi, I don't understand your solution. Does this need a specific bean name ? |
|
can you provide a more complete example that uses
and |
|
Hi @lavercr , could you help provide your minimal project? |
can you provide me an example with this working. where |
|
create a springboot application with required azure dependencies add this entry into your application.properties file that points to your working key vault Add a secret to your vault called TestSecret Setup your main class like this Determine how to use AzureCliCredentialBuilder in the authentication options first |
OK, I update your codes, hope this can help package com.mbc.poc.springbootazurekeyvault;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.boot.CommandLineRunner;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import static com.azure.spring.cloud.autoconfigure.implementation.context.AzureContextUtils.DEFAULT_TOKEN_CREDENTIAL_BEAN_NAME;
@SpringBootApplication
public class SpringbootAzureKeyvaultApplication implements CommandLineRunner {
@Value("${TestSecret}")
private String testSecret;
public static void main(String[] args) {
SpringApplication.run(SpringbootAzureKeyvaultApplication.class, args);
}
@Override
public void run(String... args) {
System.out.println("TestSecret: " + testSecret);
}
@Bean(name = DEFAULT_TOKEN_CREDENTIAL_BEAN_NAME)
TokenCredential tokenCredential( ) {
return new AzureCliCredentialBuilder().build();
}
} |
|
This doesn't work for myself. We have a similar issue where development is done on Azure VMs and would like to override the Default to CLI so that property placeholders also work. Setting the SecretClientBuilder bean to CLI works inside Application but then the KV EnvironmentPostProcessor just uses the Default. |
|
I agree, this still seems to be using the default. I will see if I can find any logging category I can turn on. |
|
Unable to find any logging I can turn on to give clarity to what is delaying startup. I am still assuming it is because it trys AzureCliCredential last to connect to azure key vault. |
|
I believe there is a bug that needs fixing |
|
I've got it working using a custom/changed version KeyVaultEnvironmentPostProcessor, setting it to use CLI, using a custom prefix for the properties and adding it to spring.factories in META-INF. It's a nasty hack but best available right now. Loading takes ~10s. |
|
Can we confirm then that this is a bug. The fact that |
|
any update? |
|
sorry for the late response and we will take a look about that |
|
@lavercr, this is because the environment processor at an earlier stage, before the default azure credential bean's initialization. To change this behavior, we need to do some refactor, but users need to register the DAC bean in another way. |
|
we need to do some refactor.. |
|
we need to be able to control the order. |
|
@saragluna Can I have an update for this fix? |
|
Sorry, this update requires code refactoring, which we need more time to discuss. |
|
Do you have an update? This is going to be critical for our business unit in the next few months. |
|
any possible way to get more frequent updates? or are you able to give me a patch to work around this issue ? |
|
Not yet, but your contributions are welcome if you are interested |
|
Okay. I get it. I will have to live with it or create a bandage. |
|
@Netyyyy I have been asked for a date of fix. Please provide. This issue is holding up a security compliancy issue at our company. If there is another place or contact we can reach out to so we can get this fixed please let me know. |
|
For anyone not understanding what this is about. I am trying to get this solution to work for us. |
|
Hi @lavercr, sorry but we can't guarantee a date for the fix, but you could create a support tickect and it will help us prioritize this issue. |
|
okay, do you have a link to create the support ticket, or do you mean go through some contract we have in our organization ? |
|
any progress ?? |
|
Sorry for the late response, I just created #41580 to fix this issue. With this change, you might need to modify your application as the following to register a public static void main(String[] args) {
SpringApplication application = new SpringApplication(PropertySourceApplication.class);
application.addBootstrapRegistryInitializer(registry ->
registry.register(TokenCredential.class, context -> new AzureCliCredentialBuilder().build()));
application.run(args);
}This is a straightforward fix for this issue, but we may plan to provide finer grained configuration properties to configure the credential type for a component. |
Discussed in #38982
regarding this
https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault#use-spring-key-vault-propertysource
Issue with spring-cloud-azure-starter-keyvault 5.9.1
Originally posted by lavercr February 28, 2024
There is a really large delay when using spring.cloud.azure.keyvault.secret.property-sources[0].endpoint
The delay is more than 2 mins.
When I do this using AzureCliCredential directly my spring boot app loads and finds the key in seconds. How can I configure spring.cloud.azure.keyvault.secret.property-sources[0].endpoint to only use AzureCliCredential for authentication.
The text was updated successfully, but these errors were encountered: