Skip to content

Instantly share code, notes, and snippets.

@stevencl

stevencl/azure-keyvault-auth-java.md

Forked from schaabs/azure-keyvault-auth-java.md
Last active May 2, 2019 21:17
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save stevencl/5cebb84680ba8e227b51d5595d1595d3 to your computer and use it in GitHub Desktop.
Save stevencl/5cebb84680ba8e227b51d5595d1595d3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
azure-keyvault-auth-java.md

Authenticating Clients to the Key Vault

Azure Key Vault authenticates requests via Azure Active Directory OAuth access tokens. All clients in the azure-keyvault package require an instance of the TokenCredential interface. The TokenCredential interface is located in the azure-common package.

While some applications with special requirements may choose to provide a TokenCredential implementation of their own, most can utilize the implementations provided by the Azure Identity library.

Authenticating Using the Azure Identity Library

To use the Azure Identity Library for authenticating client requests, you must first reference the azure-identity package in your project. The following reference should be added to the project pom.xml dependencies section:

    <dependency>
      <groupId>com.azure</groupId>
      <artifactId>azure-identity</artifactId>
      <version>1.0.0-SNAPSHOT</version>
    </dependency>

The Default Credential Provider

The default credential provider is a TokenCredential implementation which enables your app to seamlessly authenticate both in your development environment and when deployed to the Azure cloud.

When you use the default credential provider to authenticate your app, the provider looks for credentials in the following order:

  1. A Service Principal or identity that is assigned to your deployed app
  2. Credentials used to log in to the Azure portal or the Azure CLI

This means that when you are writing code on your development machine you can log in to the Azure portal or CLI and when you run your app locally, the credentials that you used to log in to the portal or CLI will be used to authenticate access to the KeyVault.

Then, when you deploy your app to Azure (e.g., in a VM or app service) you can give your app the rights to access the KeyVault.

In both cases you don't need to change the code you write to authenticate to the service as long as you use the default credential provider.

Authenticating Clients

To utilize the default credential provider you must import the AzureCredential class.

import com.azure.identity.credential.AzureCredential;

The default credential provider is then accessed through the static DEFAULT field, and is used to construct clients.

SecretClient client = SecretClient.builder()
    .vaultEndpoint("https://samplevault.vault.azure.net")
    .credentials(AzureCredential.DEFAULT) 
    .build();

Configuring the Development Environment

In the development environment your development credentials are read from the credentials provided when logging in to the Azure CLI. To configure your environment to authenticate using the default credential provider log in to the Azure CLI.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment