Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Issue in accessing AKV using spring cloud recent version

See original GitHub issue

Query/Question I am using Spring Cloud to access secrets from AKV using a pfx certificate. However, when trying to do that I am getting a error “PEM certificate provided does not contain -----BEGIN CERTIFICATE-----END CERTIFICATE----- block”

My YAML section for AKV looks like this,

spring:
    lifecycle:
        timeout-per-shutdown-phase: 60s
    cloud:
        azure:
            keyvault:
                secret:
                    property-sources:
                      - endpoint: https://someAKV.site/

In environment variables I have the following, AZURE_CLIENT_ID, AZURE_TENANT_ID = dfsdfgdsg AZURE_CLIENT_CERTIFICATE_PATH = test.pfx AZURE_CLIENT_CERTIFICATE_PASSWORD=somepassword

When I try to start my application I get this error, “PEM certificate provided does not contain -----BEGIN CERTIFICATE-----END CERTIFICATE----- block”

This is weird because I am using the same pfx with password on another project with a older spring boot version where everything works. How do we implement using PFX and a password on recent versions ?

Why is this not a Bug or a feature Request? This is not a bug or a feature request as I think its some misunderstanding of a setting

Setup (please complete the following information if applicable):

  • OS: IOS
  • IDE: IntelliJ
  • Library/Libraries: Spring boot : 2.7.2
  •                           Spring Cloud : 2021.0.3

Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

  • Query Added
  • Setup information Added

Issue Analytics

  • State:closed
  • Created a year ago
  • Comments:6 (3 by maintainers)

github_iconTop GitHub Comments

1reaction
moarychancommented, Aug 31, 2022

Hi @bhattacharyyasom , the latest code in the main branch has fixed this issue, https://github.com/Azure/azure-sdk-for-java/blob/4a53adf6274ced5af8243983042b5e32bac85bd7/sdk/identity/azure-identity/src/main/java/com/azure/identity/EnvironmentCredential.java#L76-L77 , the available version should be greater than the azure-identity 1.5.4.

I am closing this issue and please reopen it if any concerns.

1reaction
moarychancommented, Aug 30, 2022

Hi @bhattacharyyasom , thanks for using AKV.

After I check the code, your old version(3.14) can work because the token credential is built from the env variables you configured. When using 4.3.0 version, if you do not configure any credential properties, the Spring Cloud Azure will take the default credential, which it will not read the env variable AZURE_CLIENT_CERTIFICATE_PASSWORD, I guess the root cause is the below code, it’s only suitable for ‘pem’ certificates via env variables.

EnvironmentCredential(IdentityClientOptions identityClientOptions) {
        Configuration configuration = identityClientOptions.getConfiguration() == null
            ? Configuration.getGlobalConfiguration().clone() : identityClientOptions.getConfiguration();
        TokenCredential targetCredential = null;
        this.identityClientOptions = identityClientOptions;

        String clientId = configuration.get(Configuration.PROPERTY_AZURE_CLIENT_ID);
        String tenantId = configuration.get(Configuration.PROPERTY_AZURE_TENANT_ID);
        String clientSecret = configuration.get(Configuration.PROPERTY_AZURE_CLIENT_SECRET);
        String certPath = configuration.get(Configuration.PROPERTY_AZURE_CLIENT_CERTIFICATE_PATH);
        String username = configuration.get(Configuration.PROPERTY_AZURE_USERNAME);
        String password = configuration.get(Configuration.PROPERTY_AZURE_PASSWORD);
        ValidationUtil.validateTenantIdCharacterRange(tenantId, LOGGER);
        LoggingUtil.logAvailableEnvironmentVariables(LOGGER, configuration);
        if (verifyNotNull(clientId)) {
            // 1 - Attempt ClientSecretCredential or ClientCertificateCredential
            if (verifyNotNull(tenantId)) {
                if (verifyNotNull(clientSecret)) {
                    // 1.1 Attempt ClientSecretCredential
                    LOGGER.info("Azure Identity => EnvironmentCredential invoking ClientSecretCredential");
                    targetCredential = new ClientSecretCredential(tenantId, clientId, clientSecret,
                        identityClientOptions);
                } else if (verifyNotNull(certPath)) {
                    // 1.2 Attempt ClientCertificateCredential
                    LOGGER.info("Azure Identity => EnvironmentCredential invoking ClientCertificateCredential");
                    targetCredential = new ClientCertificateCredential(tenantId, clientId, certPath, null, null,
                            identityClientOptions);
                } else {
                    // 1.3 Log error if neither is found
                    LoggingUtil.logError(LOGGER, identityClientOptions,
                        () -> String.format("Azure Identity => ERROR in EnvironmentCredential: Failed to create a "
                        + "ClientSecretCredential or ClientCertificateCredential. Missing required environment "
                        + "variable either %s or %s", Configuration.PROPERTY_AZURE_CLIENT_SECRET,
                        Configuration.PROPERTY_AZURE_CLIENT_CERTIFICATE_PATH));
                }
            } 

        // ......

        tokenCredential = targetCredential;
    }

You should configure the below properties:

spring.cloud.azure:
  credential:
    client-id: ${AZURE_CLIENT_ID}
    client-certificate-path: ${AZURE_CLIENT_CERTIFICATE_PATH}
    client-certificate-password: ${AZURE_CLIENT_CERTIFICATE_PASSWORD}
  profile:
    tenant-id: ${AZURE_TENANT_ID}

more detail from here https://microsoft.github.io/spring-cloud-azure/4.3.0/reference/html/index.html#authenticate-with-azure-active-directory.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Read a secret from Azure Key Vault in a Spring Boot application
Spring Boot version 2.5 or higher is required to complete the steps in this article. Create an Azure Key Vault and store a...
Read more >
azure-spring-boot-starter-keyvault-secrets doesn't work at all
With the test-service it works fine. With the production service, it looks like it doesn't work at all. E.g. I can set an...
Read more >
Chapter 3. Controlling your configuration with Spring Cloud ...
In the Maven file in this previous listing, you start out by declaring the version of Spring Boot you're going to use for...
Read more >
Spring Cloud Vault
To use these features in an application, just build it as a Spring Boot ... If a token is disclosed an unintended party...
Read more >
How to Integrate Azure Kubernetes and Key Vault to keep ...
One of the common issues while implementing cloud native application is to manage secret values like DB user credentials, tokens etc in safe...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

[BUG] Spring Cloud Stream Eventhubs fails trying to store the checkpoint with an AuthorizationPermissionMismatch

Next page

[BUG] ManagedIdentityCredential credential leads to slow requests with AAD Workload Identity