azure-sdk-for-ruby icon indicating copy to clipboard operation
azure-sdk-for-ruby copied to clipboard

With a managed service identity and MsRest::TokenCredentials, Ruby SDK failed to pass the proper token to Azure key vault service to get secrets out of it.

Open sjyang18 opened this issue 7 years ago • 0 comments

In the same environment, Ruby SDK failed to get access to secrets on azure keyvault thru the managed service identity attached to VM, while the similar code in python SDK does.

To reproduce this issue,

  1. Create a VM and attach a managed service identity.
  2. Set AZURE_SUBSCRIPTION_ID, AZURE_TENANT_ID, KEY_VAULT_URI environment variable.
  3. Run the following code snippet or attached code. I have attached my test program in ruby and python. python version works, while ruby version generates 401 HTTP error.

subscription_id = ENV['AZURE_SUBSCRIPTION_ID'] || '11111111-1111-1111-1111-111111111111' # your Azure Subscription Id tenant_id = ENV['AZURE_TENANT_ID'] settings = MsRestAzure::ActiveDirectoryServiceSettings.get_azure_settings

Create System Assigned MSI token provider

provider = MsRestAzure::MSITokenProvider.new

puts 'before getting credentials' credentials = MsRest::TokenCredentials.new(provider) puts credentials.inspect puts provider.get_authentication_header puts 'after getting credentials'

Create a keyvault client

#client = Azure::Resources::Mgmt::V2017_05_10::ResourceManagementClient.new(credentials) #client.subscription_id = subscription_id

options = { tenant_id: tenant_id, subscription_id: subscription_id, credentials: credentials } #keyvault_client = Azure::KeyVault::V2015_06_01::KeyVaultClient.new(credentials, options) #keyvault_client = Azure::KeyVault::V2016_10_01::KeyVaultClient.new(credentials, options) keyvault_client = Azure::KeyVault::V7_0::KeyVaultClient.new(credentials, options) #keyvault_client = Azure::KeyVault::Mgmt::V2015_06_01::KeyVaultManagementClient.new(credentials)

#keyvault_client = Azure::KeyVault::Mgmt::V2018_02_14::KeyVaultManagementClient.new(credentials) #-->keyvault_client = Azure::KeyVault::Profiles::Latest::Mgmt::Client.new(options) #keyvault_client.subscription_id = subscription_id

puts keyvault_client.get_secret(ENV['KEY_VAULT_URI'], 'secret', '' )

example2.rb.txt example.py.txt

sjyang18 avatar Oct 08 '18 17:10 sjyang18