Description
Is there an existing issue for this?
- I have searched the existing issues
Microhack
03-Azure/01-03-Infrastructure/02_Hybrid_Azure_Arc_Servers
Feature Description
The challenge on managed identity and key vault integration uses access policy which is a legacy setting for KeyVault RBAC is now recommended and can be used with Azure Arc.
I have created or changed the current script to call the corresponding API and get the token once RBAC is set up
CHALLENGE_TOKEN_PATH=$(curl -s -D - -H Metadata:true "http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2021-02-01&resource=https://vault.azure.net" | grep -i "Www-Authenticate" | cut -d "=" -f 2 | tr -d "[:cntrl:]")
CHALLENGE_TOKEN=$(cat "$CHALLENGE_TOKEN_PATH")
if [ -z "$CHALLENGE_TOKEN" ]; then
echo "Could not retrieve challenge token. Are you running as root?"
exit 1
fi
ACCESS_TOKEN_RESPONSE=$(curl -s -H Metadata:true -H "Authorization: Basic $CHALLENGE_TOKEN" "http://127.0.0.1:40342/metadata/identity/oauth2/token?api-version=2021-02-01&resource=https://vault.azure.net")
ACCESS_TOKEN=$(echo "$ACCESS_TOKEN_RESPONSE" | jq -r '.access_token')
if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" == "null" ]; then
echo "Failed to retrieve access token:"
echo "$ACCESS_TOKEN_RESPONSE"
exit 1
else
echo "Access token retrieved successfully."
echo "$ACCESS_TOKEN"
fi
VAULT_NAME="mh-arc-servers-kv11"
SECRET_NAME="asas"
curl -s -H "Authorization: Bearer $ACCESS_TOKEN"
https://${VAULT_NAME}.vault.azure.net/secrets/${SECRET_NAME}?api-version=7.3
Anything else?
https://learn.microsoft.com/en-us/azure/azure-arc/servers/managed-identity-authentication
https://learn.microsoft.com/en-us/azure/key-vault/general/rbac-access-policy