skip to Main Content

I am in new in Azure. I created a small application where I have mentioned one secret JWT-SET-URI in application.properties file. The secret, I have created in azure key vaults.

Spring boot version: 3.1.5

Azure account: Personal Account with free (12 months)

application.propeties

spring.security.oauth2.resourceserver.jwt.jwk-set-uri=${JWT-SET-URI}
spring.cloud.azure.keyvault.secret.property-sources[0].enabled=true
spring.cloud.azure.keyvault.secret.property-sources[0].endpoint=https://demo-vault.vault.azure.net/

Also I have installed Azure CLI. Once I ran command az login after that if I start the application it is working fine. But when the Azure CLI is not present or ran az logout command. The application is not starting.

My question is that is there any way that I can run the application without the Azure CLI ?

For reference, I have followed this document: https://learn.microsoft.com/en-us/azure/developer/java/spring-framework/configure-spring-boot-starter-java-app-with-azure-key-vault

2

Answers


  1. I tried the below code without the Azure CLI login method and retrieved the secret from the key vault with the service principal, Client Credentials method.

    Code :

    SecretController.java :

    import org.springframework.beans.factory.annotation.Autowired;
    import org.springframework.web.bind.annotation.GetMapping;
    import org.springframework.web.bind.annotation.RequestMapping;
    import org.springframework.web.bind.annotation.RestController;
    
    @RestController
    @RequestMapping("/api")
    public class SecretController {
        @Autowired
        private KeyVaultService keyVaultService;
    
        @GetMapping("/secret")
        public String getSecret() {
            return keyVaultService.getSecretValue();
        }
    }
    

    KeyVaultService.java :

    import com.azure.identity.ClientSecretCredential;
    import com.azure.identity.ClientSecretCredentialBuilder;
    import com.azure.security.keyvault.secrets.SecretClient;
    import com.azure.security.keyvault.secrets.SecretClientBuilder;
    import org.springframework.beans.factory.annotation.Value;
    import org.springframework.stereotype.Service;
    
    @Service
    public class KeyVaultService {
        @Value("${azure.keyvault.vault-url}")
        private String vaultUrl;
    
        @Value("${azure.keyvault.client-id}")
        private String clientId;
    
        @Value("${azure.keyvault.client-secret}")
        private String clientSecret;
    
        @Value("${azure.keyvault.tenant-id}")
        private String tenantId;
    
        @Value("${azure.keyvault.secret-name}")
        private String secretName;
    
        public String getSecretValue() {
            ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder()
                    .clientId(clientId)
                    .clientSecret(clientSecret)
                    .tenantId(tenantId)
                    .build();
    
            SecretClient secretClient = new SecretClientBuilder()
                    .vaultUrl(vaultUrl)
                    .credential(clientSecretCredential)
                    .buildClient();
    
            return secretClient.getSecret(secretName).getValue();
        }
    }
    

    application.properties :

    azure.keyvault.vault-url=https://<keyvault_name>.vault.azure.net
    azure.keyvault.client-id=<app_client_id>
    azure.keyvault.client-secret=<app_client-secret>
    azure.keyvault.tenant-id=<tenant-id>
    azure.keyvault.secret-name=kamsecret
    

    Below is the secret value I have in my key vault.

    enter image description here

    I gave access to the app to retrieve the secrets from the key vault as below:

    enter image description here

    The code runs successfully as below:

    enter image description here

    I retrieved the secret from the key vault in the browser as below.

    enter image description here

    Login or Signup to reply.
  2. If you don’t need the exact secret values when running the app locally (because for example you have a local database which has different URL and credentials), then you can simply use a local test double to replace Azure Key Vault as well.

    This example project can tell you how the Spring integration should be done as well as how you can replace the real Azure Key Vault with the test double: https://github.com/nagyesta/lowkey-vault-example/tree/main#spring-cloud-azure-starter

    Login or Signup to reply.
Please signup or login to give your own answer.
Back To Top
Search