managed-identity-keyvault

Access Key Vault with managed identity

This sample shows how to access Key Vault with managed identity in Azure Spring Apps.

You need include ManagedIdentityCredentialBuilder and SecretClientBuilder in your code. In this sample project, you could refer to MainController.java.

Prerequisite

• JDK 21
• Maven 3.0 and above
• Azure CLI or Azure Cloud Shell
• An existing Key Vault. If you need to create a Key Vault, you can use the Azure Portal or Azure CLI

How to run

1. Run mvn clean package after specifying the URI of your Key Vault in application.properties.
2. Create an instance of Azure Spring Apps.

   az spring create -n <resource name> -g <resource group name>
   

3. Create an app with public domain assigned.

   az spring app create -n <app name> --service <resource name> -g <resource group name> --assign-endpoint true --runtime-version Java_21
   

4. Enable system-assigned managed identity for your app and take note of the principal id from the command output.

   az spring app identity assign -n <app name> --service <resource name> -g <resource group name>
   

5. Assign Key Vault Secrets User role to the system-assigned managed identity.
6. Deploy app with jar.

   az spring app deploy -n <app name> --service <resource name> -g <resource group name> --jar-path ./target/asc-managed-identity-keyvault-sample-0.1.0.jar
   

7. Verify app is running. Instances should have status RUNNING and discoveryStatus UP.

   az spring app show -n <app name> --service <resource name> -g <resource group name>
   

8. Verify sample is working. The url is fetched from previous step.

   # Create a secret in Key Vault
   curl -X PUT {url}/secrets/{secret-name}?value={value}
   
   # Get the value of secret-name you just created before
   curl {url}/secrets/{secret-name}