在使用应用程序访问Key Vault获取密钥信息时,现后遇见了多种认证错误。使用的代码为:
String keyVaultUrl = "https://test-xxx.vault.azure.cn/" String keyName = "keyvault-xxx"; KeyClient keyClient = new KeyClientBuilder() .vaultUrl(keyVaultUrl) .credential(new DefaultAzureCredentialBuilder() .tenantId("3c858e6a-xxxx-xxxx-xxxx-xxxxxxxxxxxx") .managedIdentityClientId("3df5246c-xxxx-xxxx-xxxx-xxxxxxxxxxxx") .build()) .buildClient(); KeyVaultKey key = keyClient.getKey(keyName);
遇见的错误一:
Error Details: AADSTS90002: Tenant '3c858e6a-xxxx-xxxx-xxxx-xxxxxxxxxxxx' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator
错误分析:
根据Key Vaule的URL判断,服务位于中国区的Azure中,由于中国区的Azure和Globa Azure是两个独立的云环境,所以在使用SDK登录中国区Azure环境时,需要指定Authority Host。所以需要在代码中加入 " .authorityHost(AzureAuthorityHosts.AZURE_CHINA) “。
修改后的代码为:
String keyVaultUrl = "https://test-xxx.vault.azure.cn/" String keyName = "keyvault-xxx"; KeyClient keyClient = new KeyClientBuilder() .vaultUrl(keyVaultUrl) .credential(new DefaultAzureCredentialBuilder() .tenantId("3c858e6a-xxxx-xxxx-xxxx-xxxxxxxxxxxx") .authorityHost(AzureAuthorityHosts.AZURE_CHINA) .managedIdentityClientId("3df5246c-xxxx-xxxx-xxxx-xxxxxxxxxxxx") .build()) .buildClient(); KeyVaultKey key = keyClient.getKey(keyName);
遇见的错误二:
IntelliJ Authentication not available. Please log in with Azure Tools for IntelliJ plugin in the IDE
Status code 403, "{"error":{"code":"Forbidden","message":"The policy requires the caller 'appid=60015a25-xxxx-xxxx-xxxx-xxxxxxxxxxxx;oid=dc107e73-xxxx-xxxx-xxxx-xxxxxxxxxxxx;iss=https://sts.chinacloudapi.cn/3c858e6a-xxxx-xxxx-xxxx-xxxxxxxxxxxx/' to use on-behalf-of (OBO) flow. For more information on OBO, please see https://go.microsoft.com/fwlink/?linkid=2152310","innererror":{"code":"ForbiddenByPolicy"}}}"
错误分析:
因为访问Azure Key Vault需要添加访问策略,需要为当前使用的 Client ID (3df5246c-xxxx-xxxx-xxxx-xxxxxxxxxxxx)配置 访问策略[Access Policy]
遇见的错误三:
认证主题不是自定义的AAD注册应用,而是服务主体(Service Principal) , 所以需要使用 ClientSecretCredential 对象进行认证,而不是默认的 DefaultAzureCredentialBuilder 。
使用ClientSecretCredential 认证的参考代码为:
/** * Authenticate with client secret. */ ClientSecretCredential clientSecretCredential = new ClientSecretCredentialBuilder() .clientId("<your client ID>") .clientSecret("<your client secret>") .tenantId("<your tenant ID>") .authorityHost(AzureAuthorityHosts.AZURE_CHINA) .build(); // Azure SDK client builders accept the credential as a parameter. SecretClient client = new SecretClientBuilder() .vaultUrl("https://<your Key Vault name>.vault.azure.net") .credential(clientSecretCredential) .buildClient();
参考资料:
Client secret credential:https://docs.microsoft.com/en-us/azure/developer/java/sdk/identity-service-principal-auth#client-secret-credential
对 Azure 托管的 Java 应用程序进行身份验证: https://docs.microsoft.com/zh-cn/azure/developer/java/sdk/identity-azure-hosted-auth