This sample shows how to access Key Vault with managed identity in Azure Spring Apps.
You need include ManagedIdentityCredentialBuilder and SecretClientBuilder in your code. In this sample project, you could refer to MainController.java.
- JDK 8
- Maven 3.0 and above
- Azure CLI or Azure Cloud Shell
- An existing Key Vault. If you need to create a Key Vault, you can use the Azure Portal or Azure CLI
- Run
mvn clean packageafter specifying the URI of your Key Vault in application.properties. - Install Azure CLI extension for Azure Spring Apps by running below command.
az extension add -y --source https://azureclitemp.blob.core.windows.net/spring-cloud/spring_cloud-0.1.0-py2.py3-none-any.whl - Create an instance of Azure Spring Apps.
az spring-cloud create -n <resource name> -g <resource group name> - Create an app with public domain assigned.
az spring-cloud app create -n <app name> -s <resource name> -g <resource group name> --is-public true - Enable system-assigned managed identity for your app and take note of the principal id from the command output.
az spring-cloud app identity assign -n <app name> -s <resource name> -g <resource group name> - Grant permission of Key Vault to the system-assigned managed identity.
az keyvault set-policy -n keyvault_name -g resource_group_of_keyvault --secret-permissions get set --object-id <principal-id-you-got-in-step5> - Deploy app with jar.
az spring-cloud app deploy -n <app name> -s <resource name> -g <resource group name> --jar-path ./target/asc-managed-identity-keyvault-sample-0.1.0.jar - Verify app is running. Instances should have status
RUNNINGand discoveryStatusUP.az spring-cloud app show -n <app name> -s <resource name> -g <resource group name> - Verify sample is working. The url is fetched from previous step.
# Create a secret in Key Vault curl -X PUT {url}/secrets/{secret-name}?value={value} # Get the value of secret-name you just created before curl {url}/secrets/{secret-name}