Azure
With a managed service identity and MsRest::TokenCredentials, Ruby SDK failed to pass the proper token to Azure key vault service to get secrets out of it.
In the same environment, Ruby SDK failed to get access to secrets on azure keyvault thru the managed service identity attached to VM, while the similar code in python SDK does.
To reproduce this issue,
- Create a VM and attach a managed service identity.
- Set AZURE_SUBSCRIPTION_ID, AZURE_TENANT_ID, KEY_VAULT_URI environment variable.
- Run the following code snippet or attached code. I have attached my test program in ruby and python. python version works, while ruby version generates 401 HTTP error.
subscription_id = ENV['AZURE_SUBSCRIPTION_ID'] || '11111111-1111-1111-1111-111111111111' # your Azure Subscription Id tenant_id = ENV['AZURE_TENANT_ID'] settings = MsRestAzure::ActiveDirectoryServiceSettings.get_azure_settings
Create System Assigned MSI token provider
provider = MsRestAzure::MSITokenProvider.new
puts 'before getting credentials' credentials = MsRest::TokenCredentials.new(provider) puts credentials.inspect puts provider.get_authentication_header puts 'after getting credentials'
Create a keyvault client
#client = Azure::Resources::Mgmt::V2017_05_10::ResourceManagementClient.new(credentials) #client.subscription_id = subscription_id
options = { tenant_id: tenant_id, subscription_id: subscription_id, credentials: credentials } #keyvault_client = Azure::KeyVault::V2015_06_01::KeyVaultClient.new(credentials, options) #keyvault_client = Azure::KeyVault::V2016_10_01::KeyVaultClient.new(credentials, options) keyvault_client = Azure::KeyVault::V7_0::KeyVaultClient.new(credentials, options) #keyvault_client = Azure::KeyVault::Mgmt::V2015_06_01::KeyVaultManagementClient.new(credentials)
#keyvault_client = Azure::KeyVault::Mgmt::V2018_02_14::KeyVaultManagementClient.new(credentials) #-->keyvault_client = Azure::KeyVault::Profiles::Latest::Mgmt::Client.new(options) #keyvault_client.subscription_id = subscription_id
puts keyvault_client.get_secret(ENV['KEY_VAULT_URI'], 'secret', '' )
example2.rb.txt example.py.txt
