udpate access token url on app service (#20292)

* udpate access token url on app service
Azure · Apr 2, 2021 · 601ba46 · 601ba46
1 parent 2dfa14a
commit 601ba46
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 15 deletions.
diff --git a/...azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/AuthClient.java b/...azure-security-keyvault-jca/src/main/java/com/azure/security/keyvault/jca/AuthClient.java
@@ -128,23 +128,21 @@ public String getAccessToken(String resource, String aadAuthenticationUrl,
      * Get the access token on Azure App Service.
      *
      * @param resource the resource.
-     * @param identity the user-assigned identity (null if system-assigned).
+     * @param clientId the user-assigned managed identity (null if system-assigned).
      * @return the authorization token.
      */
-    private String getAccessTokenOnAppService(String resource, String identity) {
+    private String getAccessTokenOnAppService(String resource, String clientId) {
         LOGGER.entering("AuthClient", "getAccessTokenOnAppService", resource);
         LOGGER.info("Getting access token using managed identity based on MSI_SECRET");
-        if (identity != null) {
-            LOGGER.log(INFO, "Using managed identity with object ID: {0}", identity);
-        }
         String result = null;
 
         StringBuilder url = new StringBuilder();
         url.append(System.getenv("MSI_ENDPOINT"))
            .append("?api-version=2017-09-01")
            .append(RESOURCE_FRAGMENT).append(resource);
-        if (identity != null) {
-            url.append("&objectid=").append(identity);
+        if (clientId != null) {
+            url.append("&clientid=").append(clientId);
+            LOGGER.log(INFO, "Using managed identity with client ID: {0}", clientId);
         }
 
         HashMap<String, String> headers = new HashMap<>();

diff --git a/...e-spring-boot-sample-keyvault-certificates-client-side/src/main/resources/application.yml b/...e-spring-boot-sample-keyvault-certificates-client-side/src/main/resources/application.yml
@@ -4,6 +4,7 @@ azure:
     tenant-id:           # The Tenant ID for your Azure Key Vault (needed if you are not using managed identity).
     client-id:           # The Client ID that has been setup with access to your Azure Key Vault (needed if you are not using managed identity).
     client-secret:       # The Client Secret that will be used for accessing your Azure Key Vault (needed if you are not using managed identity).
-    # managed-identity:  # The user-assigned managed identity object-id to use.
+    # managed-identity:  # client-id of the user-assigned managed identity to use.
+    # If the above 4 properties are empty, then system-assigned managed identity will be used.
 server:
   port: 8080
diff --git a/...e-spring-boot-sample-keyvault-certificates-server-side/src/main/resources/application.yml b/...e-spring-boot-sample-keyvault-certificates-server-side/src/main/resources/application.yml
@@ -4,7 +4,8 @@ azure:
     tenant-id:           # The Tenant ID for your Azure Key Vault (needed if you are not using managed identity).
     client-id:           # The Client ID that has been setup with access to your Azure Key Vault (needed if you are not using managed identity).
     client-secret:       # The Client Secret that will be used for accessing your Azure Key Vault (needed if you are not using managed identity).
-    # managed-identity:  # The user-assigned managed identity object-id to use.
+    # managed-identity:  # The user-assigned managed identity client-id to use.
+    # If the above 4 properties are empty, then system-assigned managed identity will be used.
 server:
   port: 8443
   ssl:

diff --git a/sdk/spring/azure-spring-boot-starter-keyvault-certificates/README.md b/sdk/spring/azure-spring-boot-starter-keyvault-certificates/README.md
@@ -101,15 +101,13 @@ This starter allows you to securely manage and tightly control your certificates
     ![Copy secrets](resource/copy-secrets.png)
 
 Add these items in your `application.yml`:
-<!-- embedme ../azure-spring-boot-samples/azure-spring-boot-sample-keyvault-certificates-server-side/src/main/resources/application.yml#L1-L12 -->
 ```yaml
 azure:
   keyvault:
     uri:                 # The URI to the Azure Key Vault used
     tenant-id:           # The Tenant ID for your Azure Key Vault (needed if you are not using managed identity).
     client-id:           # The Client ID that has been setup with access to your Azure Key Vault (needed if you are not using managed identity).
     client-secret:       # The Client Secret that will be used for accessing your Azure Key Vault (needed if you are not using managed identity).
-    # managed-identity:  # The user-assigned managed identity object-id to use.
 server:
   port: 8443
   ssl:
@@ -141,12 +139,13 @@ Make sure the client-id can access target Key Vault. Here are steps to configure
 
 #### Using a managed identity
 
-If you are using managed identity instead of client-id, add these items in your `application.yml`:
+If you are using managed identity instead of App registrations, add these items in your `application.yml`:
 
 ```yaml
 azure:
   keyvault:
     uri: <the URI of the Azure Key Vault to use>
+#    managed-identity: # client-id of the user-assigned managed identity to use. If empty, then system-assigned managed identity will be used.
 server:
   ssl:
     key-alias: <the name of the certificate in Azure Key Vault to use>
@@ -159,15 +158,13 @@ Make sure the managed identity can access target Key Vault.
 
 #### Using a client ID and client secret
 Add these items in your `application.yml`:
-<!-- embedme ../azure-spring-boot-samples/azure-spring-boot-sample-keyvault-certificates-client-side/src/main/resources/application.yml#L1-L7 -->
 ```yaml
 azure:
   keyvault:
     uri:                 # The URI to the Azure Key Vault used
     tenant-id:           # The Tenant ID for your Azure Key Vault (needed if you are not using managed identity).
     client-id:           # The Client ID that has been setup with access to your Azure Key Vault (needed if you are not using managed identity).
     client-secret:       # The Client Secret that will be used for accessing your Azure Key Vault (needed if you are not using managed identity).
-    # managed-identity:  # The user-assigned managed identity object-id to use.
 ```
 Make sure the client-id can access target Key Vault. 
 
@@ -201,11 +198,12 @@ public RestTemplate restTemplateWithTLS() throws Exception {
 
 #### Using a managed identity
 
-If you are using managed identity instead of client-id, add these items in your `application.yml`:
+If you are using managed identity instead of App registration, add these items in your `application.yml`:
 ```yaml
 azure:
   keyvault:
     uri: <the URI of the Azure Key Vault to use>
+#    managed-identity:  # client-id of the user-assigned managed identity to use. If empty, then system-assigned managed identity will be used.
 ```
 Make sure the managed identity can access target Key Vault.