I have Quarkus application which runs as a Java service on server. It is not deployed as a Docker container image.
I've defined custom Credential provider for decrypting the mysql datasource password in my application, and not using vault storage for storing encrypted password.
I had created a credential provider and registered my credential provider classes and in the application.properties with the key quarkus.datasource.credentials-provider = custom.
When I try to run the application it does not override quarkus credential provider class and gives the following error:
unable to find credentials provider of type default
Is there a way to run the application providing encrypted userid/password of mysql as a service on my prod server.
Related
The code below works on my local machine passing DefaultAzureCredential(). But when I host it on IIS on Azure VM, the authentication fails. I tried setting the ApplicationPool's identity to my credential since I have access to the Azure KeyVault, still the same 403 forbidden error. Deploying as AppServices on Azure is not an option currently.
What is the best way to read Azure KeyVault Secrets in this scenario?
string kvUri = "https://mykeyvault.vault.azure.net/";
string secretName = "MyConnectionString";
var client = new SecretClient(new Uri(kvUri), new DefaultAzureCredential());
var secret = await client.GetSecretAsync(secretName);
Console.WriteLine(secret?.Value?.Value);
still the same 403 forbidden error
We need to enable the system-assigned Managed Identity on the VM which we have deployed our Web App.
And provide the permissions for the Identity which you have set in previous step.Run the below command in Azure CLI
az keyvault set-policy --name 'KeyVaultName' --object-id "ObjectID of SystemAssigned Managed Identity" --secret-permissions get list set delete
Make sure you have given access permissions to retrieve the Key Vault.
In Azure Keyvault => Access policies , select the Get,List permissions and provide the Principal - name will be same as your deployed WebApp , continue with the steps and Review +create
Connection works fine following this tutorial when using:
var connection = (SqlConnection)Database.GetDbConnection();
connection.AccessToken = (new Microsoft.Azure.Services.AppAuthentication.AzureServiceTokenProvider()).GetAccessTokenAsync("https://database.windows.net/").Result;
But now the docs say "Microsoft.Azure.Services.AppAuthentication is no longer recommended"
So changing my connection as described in Using Azure Active Directory authentication with SqlClient I get the following errors:
Using Active Directory Integrated authentication
Integrated Windows Auth is not supported for managed users.
Using Active Directory Managed Identity authentication
Tried to get token using Managed Identity. Access token could not be acquired. A socket operation was attempted to an unreachable network. (169.254.169.254:80)
Nothing is blocking that address, but also where is it getting that IP from? The tutorial's code used https://database.windows.net/ to get the token (which resolves 65.55.23.107).
Can/should I override that address somewhere?
Any other config missing?
These auth ways apply to different scenarios, for example, if you want to use Active Directory Integrated authentication, you need to federate the on-premises AD with Azure AD via ADFS, if you want to use Active Directory Managed Identity authentication, you must run your code in an Azure service which supports MSI(need to enable MSI first), because the code essentially makes an API call to the azure instance metadata endpoint to get the access token, then use the token to auth, it is just available in the MSI-supported service.
So if you want to migrate the code from the old sdk to the new one, you need to choose the correct auth way that applies to your scenario. Here I recommend you to use the Active Directory Service Principal authentication, it can apply to any scenario, please follow the steps below.
1.Register an application with Azure AD and create a service principal.
2.Get values for signing in and create a new application secret.
3.Grant the permission to the service principal with CREATE USER [Azure_AD_Object] FROM EXTERNAL PROVIDER.
4.Then use the code here, fix the values with yours and got from step 2.
string ConnectionString = #"Server=demo.database.windows.net; Authentication=Active Directory Service Principal; Database=testdb; User Id=AppId; Password=secret";
using (SqlConnection conn = new SqlConnection(ConnectionString)) {
conn.Open();
}
When we store the Service principal certificate/appKey in the VM (to access the keyvault), we could limit access to that file to just the user account running the program. Other users or accounts wouldn't have access to the secrets in keyvault.
When we use Azure Managed Service Identity to access keyvault from an IaaS VM, my understanding is that any user logged into the VM or any program running on the machine can access the keyvault secrets - is this true?
And if it is, doesn't that decrease the security in case one of the user accounts is compromised?
According to the article access Azure Key Vault, it seems this is true. If MSI is enabled, just need to invoke web request in the VM without e.g. appKey.
And if it is, doesn't that decrease the security in case one of the user accounts is compromised?
It should be, but the prerequisites of the access to the secret in the keyvault is the VM service principal was added as a role in Access control (IAM) and Access policies.
If you want to increase the security, you may need to remove the VM service principal in the Access policies, then it will not be able to access the secret, if you want to the service principal does not have the access to the keyvault at all, remove its role in Access control (IAM).
For more details, you could refer to: Secure your key vault.
Update:
From the doc #Arturo mentioned, it is the fact.
Any code running on that VM, is able to call the managed identities for Azure resources endpoint and request tokens.
I have been using the new .net 4.7.1 functionality to manage secrets locally in DEV but now I want to publish my web app and of course that doesn't work in PROD.
I am using a service principal to access Azure key vault in my app and was storing the App Id and Password in the local secrets file. I can of course store all of my secrets in Key vault but I still need to supply it the service principal details to connect to that in the first place.
What's the best option here?
You can use Managed Identities so you don't have to store any secret in your app:
How to use managed identities for App Service and Azure Functions
Once configured, add a reference to these nuget packages: Microsoft.Azure.Services.AppAuthentication and Microsoft.Azure.KeyVault
In you application, you can access key vault secrets like that:
using Microsoft.Azure.KeyVault;
using Microsoft.Azure.Services.AppAuthentication;
...
var azureServiceTokenProvider = new AzureServiceTokenProvider();
var keyVaultClient = new KeyVaultClient(
new KeyVaultClient.AuthenticationCallback(azureServiceTokenProvider.KeyVaultTokenCallback));
var secret = await keyVaultClient.GetSecretAsync(
"https://{{my-vault-name}}.vault.azure.net/", "{{my-secret}}");
You need to store the values you use to open the key vault in the App settings of your application. If your production environment is Azure, you can access the App settings of your application and set them there.
Read this article to get an idea of the full picture. But the jist is that you can use application secrets in a Azure key valut and then use app settings to store the credentials to access that key vault later on.
We have an application (service provider) which is already set up to use SSO. The user is authenticated using an identity provider and IDP sends the request to the service provider with a few attributes which are retrieved and used at the service provider app for creating a session.
Now we need to create one more service provider (app2) which should be authenticated by the same identity provider. The new app2 users should not be having access to view app1. The users can be differentiated with an attribute which will be contained in the IDP request.
My question is how to configure the new SP in the IDP site using the Oracle OpenSSO Fedlet SP initiated SSO, and how can the users be restricted on IDP or SP?
Please advise and let me know the procedure to implement the process.
Thank you