Jenkins: Using Azure Arc + Linux MSI Credentials to access Azure Keyvault

  Kiến thức lập trình

Issue:

I am running Jenkins on an Azure Arc enabled Ubuntu 22.04lts server. Jenkins Azure Keyvault Plugin documentation shows that it has support to use system managed identities to authenticate with an azure key vault to retrieves secrets from the key vault to be used in jenkins pipelines. But the plugin seems to not recognize, or is unable to authenticate with the managed identity endpoint.

Steps So Far:

  1. Confirmed Key vault permissions and wrote a script using the java azure identity library to get a key vault value using them system managed identity (worked successfully)

  2. I configured the plugin to use the servers managed identity as shown in the documentation by adding environment variables to the service configuration file.

# .../jenkins.service

[Service]
Environment="AZURE_KEYVAULT_URL=https://<keyvault-name>.vault.azure.net/"
Environment="AZURE_KEYVAULT_UAMI_ENABLED=true"
  1. I added additional configurations after some research adding the jenkins user to the himds group and adding the IMDS_ENDPOINT and IDENTITY_ENDPOINT env variables to the jenkins.service configuration
[Service]
...
SupplementaryGroups=himds
Environment="IMDS_ENDPOINT=http://localhost:40342"
Environment="IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token"
  1. Additional added variables to /etc/environment
IMDS_ENDPOINT=http://localhost:40342
IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token

Logs:

May 16, 2024 4:17:35 PM FINE com.azure.core.util.logging.ClientLogger verbose
Attempting to use java.lang.invoke package to handle reflection.
May 16, 2024 4:17:35 PM FINE com.azure.core.util.logging.ClientLogger verbose
Successfully used java.lang.invoke package to handle reflection.
May 16, 2024 4:17:37 PM INFO com.azure.core.util.logging.ClientLogger performDeferredLogging
Azure Identity => getToken() result for scopes [https://graph.microsoft.com/.default]: SUCCESS
May 16, 2024 4:17:53 PM INFO com.azure.core.util.logging.ClientLogger performDeferredLogging
Azure Identity => getToken() result for scopes [https://graph.microsoft.com/.default]: SUCCESS
May 16, 2024 4:17:54 PM FINE com.azure.core.util.logging.ClientLogger performLogging
Azure Identity => Found the following environment variables: 
May 16, 2024 4:17:54 PM FINE com.azure.core.util.logging.ClientLogger verbose
Listing secrets
May 16, 2024 4:17:54 PM FINE com.azure.core.util.logging.ClientLogger performLogging
Using com.azure.core.http.netty.NettyAsyncHttpClientProvider as the default com.azure.core.http.HttpClientProvider.
May 16, 2024 4:17:54 PM SEVERE com.azure.core.util.logging.ClientLogger performLogging
Did not receive a secret value in the response from Azure Arc Managed Identity Endpoint
com.azure.core.exception.ClientAuthenticationException: Did not receive a secret value in the response from Azure Arc Managed Identity Endpoint
    at com.azure.identity.implementation.IdentityClient.lambda$authenticateToArcManagedIdentityEndpoint$48(IdentityClient.java:821)
    at reactor.core.publisher.MonoCallable.subscribe(MonoCallable.java:57)
    at reactor.core.publisher.Mono.subscribe(Mono.java:4490)
    at reactor.core.publisher.Mono.subscribeWith(Mono.java:4605)
    at reactor.core.publisher.Mono.toFuture(Mono.java:5010)
    at com.azure.identity.implementation.IdentityClientBase.lambda$getManagedIdentityConfidentialClient$1(IdentityClientBase.java:341)
    at com.microsoft.aad.msal4j.AcquireTokenByAppProviderSupplier.fetchTokenUsingAppTokenProvider(AcquireTokenByAppProviderSupplier.java:75)
    at com.microsoft.aad.msal4j.AcquireTokenByAppProviderSupplier.execute(AcquireTokenByAppProviderSupplier.java:56)
    at com.microsoft.aad.msal4j.AcquireTokenByClientCredentialSupplier.acquireTokenByClientCredential(AcquireTokenByClientCredentialSupplier.java:78)
    at com.microsoft.aad.msal4j.AcquireTokenByClientCredentialSupplier.execute(AcquireTokenByClientCredentialSupplier.java:49)
    at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:69)
    at com.microsoft.aad.msal4j.AuthenticationResultSupplier.get(AuthenticationResultSupplier.java:18)
    at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.run(CompletableFuture.java:1768)
    at java.base/java.util.concurrent.CompletableFuture$AsyncSupply.exec(CompletableFuture.java:1760)
    at java.base/java.util.concurrent.ForkJoinTask.doExec(ForkJoinTask.java:373)
    at java.base/java.util.concurrent.ForkJoinPool$WorkQueue.topLevelExec(ForkJoinPool.java:1182)
    at java.base/java.util.concurrent.ForkJoinPool.scan(ForkJoinPool.java:1655)
    at java.base/java.util.concurrent.ForkJoinPool.runWorker(ForkJoinPool.java:1622)
    at java.base/java.util.concurrent.ForkJoinWorkerThread.run(ForkJoinWorkerThread.java:165)

May 16, 2024 4:17:54 PM SEVERE com.azure.core.util.logging.ClientLogger performDeferredLogging
Azure Identity => ERROR in getToken() call for scopes [https://vault.azure.net/.default]: Managed Identity authentication is not available.
May 16, 2024 4:17:54 PM SEVERE com.azure.core.util.logging.LoggingEventBuilder performLogging
{"az.sdk.message":"Failed to acquire a new access token.","exception":"Managed Identity authentication is not available."}
com.azure.core.exception.ClientAuthenticationException: Did not receive a secret value in the response from Azure Arc Managed Identity Endpoint

LEAVE A COMMENT