Use a Linux VM system-assigned managed identity to access Azure Key Vault

JorgeRodrigues
September 19, 2023
177 views
0 votes
2 Answers

I’m trying to reproduce the same result as described in the Microsoft Document https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-nonaad

I have a VM with system assigned managed identity and a key vault where I have granted the permission of "Key Vault Secrets User" to the VM system assigned managed identity.

When trying to retrieve a secret from the key vault I get the error:

* Connection #0 to host redacted.vault.azure.net left intact
{"error":{"code":"Unauthorized","message":"[BearerReadAccessTokenFailed] Error validating token: 'S2S12005'."}}

The commands I’m using:

ACCESS_TOKEN=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true | jq .access_token)

curl -v 'https://redacted.vault.azure.net/secrets/secret?api-version=2016-10-01' -H "Authorization: Bearer ${ACCESS_TOKEN}"

Output:

*   Trying 192.168.1.100:443...
* TCP_NODELAY set
* Connected to redacted.vault.azure.net (192.168.1.100) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=US; ST=WA; L=Redmond; O=Microsoft Corporation; CN=vault.azure.net
*  start date: Aug  1 00:09:59 2023 GMT
*  expire date: Jun 27 23:59:59 2024 GMT
*  subjectAltName: host "redacted.vault.azure.net" matched cert's "*.vault.azure.net"
*  issuer: C=US; O=Microsoft Corporation; CN=Microsoft Azure TLS Issuing CA 05
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x55b99339d300)
> GET /secrets/secret?api-version=2016-10-01 HTTP/2
> Host: redacted.vault.azure.net
> user-agent: curl/7.68.0
> accept: */*
> authorization: Bearer "redacted"
>
* Connection state changed (MAX_CONCURRENT_STREAMS == 100)!
< HTTP/2 401
< cache-control: no-cache
< pragma: no-cache
< content-length: 111
< content-type: application/json; charset=utf-8
< expires: -1
< www-authenticate: Bearer authorization="https://login.microsoftonline.com/38ae3bcd-9579-4fd4-adda-b42e1495d55a", resource="https://vault.azure.net"
< x-ms-keyvault-region: germanywestcentral
< x-ms-request-id: e8e664e8-7266-476d-8412-844887a779a5
< x-ms-keyvault-service-version: 1.9.950.1
< x-ms-keyvault-network-info: conn_type=PrivateLink;subnet=/subscriptions/redacted/resourcegroups/resourcegroup/providers/microsoft.network/virtualnetworks/vnet-dev/subnets/build;private_endpoint=/subscriptions/redacted/resourceGroups/resourcegroup/providers/Microsoft.Network/privateEndpoints/pep-keyvault-dev;addr=192.168.1.100;act_addr_fam=InterNetworkV6;
< x-content-type-options: nosniff
< strict-transport-security: max-age=31536000;includeSubDomains
< date: Tue, 05 Sep 2023 08:55:54 GMT
<
* Connection #0 to host redacted.vault.azure.net left intact
{"error":{"code":"Unauthorized","message":"[BearerReadAccessTokenFailed] Error validating token: 'S2S12005'."}}

Answers

- Imran
- September 5, 2023 at 2:23 pm
- 0 votes
0
Created Linux virtual machine and Key vault. In Key vault check the resource access and add access policies to the user like below:

Created Secret:

In Linux virtual machine, identity add system assigned status ON and save like below:

Now in Key vault make sure to add this vm in access policy like below:

In key vault -> Access policies -> create -> in permission, select all.

In principal search the vm name as service principle and select, next and create.

Connected to the VM with the SSH client and use below CURL request.
```
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true
```
Now use this access token to authenticate to Azure Key Vault and I got the result successfully like below:
```
curl 'https://<YOUR-KEY-VAULT-URL>/secrets/<secret-name>?api-version=2016-10-01' -H "Authorization: Bearer <ACCESS TOKEN>"
```
Make sure to replace <your-key-vault-name> and <your-secret-name> with the actual names of your Key Vault and secret.
Login or Signup to reply.

- JamesTran
- September 5, 2023 at 10:46 pm
- 0 votes
0
From your Curl requests, I noticed that you used jq .access_token within your ACCESS_TOKEN variable which could be causing the BearerReadAccessTokenFailed error.

To resolve this you should be able to use the following commands

The CURL request for the access token:
- kv_access_token=$(curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net' -H Metadata:true)
Creating a variable and storing the access token from the previous request:
- ACCESS_TOKEN=$(jq -jn "$kv_access_token|.access_token")
Optional echo to see if the access token was stored/retrieved correctly – https://jwt.ms/
- echo 'The access token is '$ACCESS_TOKEN
CURL request for how to read a secret from Key Vault:
- curl -v 'https://vaultName.vault.azure.net/secrets/testSecret?api-version=2016-10-01' -H "Authorization: Bearer ${ACCESS_TOKEN}"
I hope this helps!
Login or Signup to reply.

Please signup or login to give your own answer.

Click here to cancel reply.