Skip to content

[BUG] Azure KeyVault JCA library should use managed identity's client_id instead of object_id #39502

Open
@krishnamraju-pernedi

Description

@krishnamraju-pernedi

Describe the bug
I am using Azure KeyVault JCA sdk code to read certificates and keys (keystore). I could retrieve certificates and private keys using service principle. i.,e client_id and client_secret. But the same functionality not working intermittently when using managed identity.
After debugging SDK code, I figured it out that following code using object_id to fetch access token.

My observations:
Access token request using client_id and object_id is not same. If client_id is passed in the Identity request, it is returning access token for respective UAMI. But object_id is passed in the request, it is ignoring object_id and generating access token for one of the managed identity assigned. When there are more than one managed identity (UAMI) is assigned to resource, then it is generating access token using random UAMI and not using object_id in the query param at all. it is working fine if client_id is being used.

Exception or Stack Trace
No errors printed. Access token being generated is not what has been requested.

To Reproduce
Steps to reproduce the behavior:
1.Resource should have more than one UAMI assigned.
2. Make identity request http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01 with object_id as query param to get token
3. Read JWT token using jwt.io and you can find different UAMI name each time in token details.

Code Snippet
Add the code snippet that causes the issue.

Expected Behavior
client_id should be used for managed identity instead of object_id

Metadata

Metadata

Assignees

Labels

ClientThis issue points to a problem in the data-plane of the library.azure-springAll azure-spring related issuesazure-spring-jcacustomer-reportedIssues that are reported by GitHub users external to the Azure organization.needs-team-attentionWorkflow: This issue needs attention from Azure service team or SDK teamquestionThe issue doesn't require a change to the product in order to be resolved. Most issues start as that

Type

No type

Projects

Status

Todo

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions