Skip to content

Commit 61e5eb8

Browse files
bscholtes1Abscholtes1A
authored
feat: use DefaultAzureCredential in Azure Key Vault (#82)
* feat: use DefaultAzureCredential in Azure Key Vault * add documentation
1 parent 6e23ec4 commit 61e5eb8

File tree

13 files changed

+119
-293
lines changed

13 files changed

+119
-293
lines changed

DEPENDENCIES

Lines changed: 9 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -56,16 +56,13 @@ maven/mavencentral/com.fasterxml.jackson.core/jackson-databind/2.14.2, Apache-2.
5656
maven/mavencentral/com.fasterxml.jackson.core/jackson-databind/2.15.1, Apache-2.0, approved, #7934
5757
maven/mavencentral/com.fasterxml.jackson.core/jackson-databind/2.15.2, Apache-2.0, approved, #7934
5858
maven/mavencentral/com.fasterxml.jackson.core/jackson-databind/2.15.3, Apache-2.0, approved, #7934
59-
maven/mavencentral/com.fasterxml.jackson.core/jackson-databind/2.9.8, Apache-2.0 AND EPL-1.0, approved, CQ21704
6059
maven/mavencentral/com.fasterxml.jackson.dataformat/jackson-dataformat-xml/2.13.5, Apache-2.0, approved, #3768
6160
maven/mavencentral/com.fasterxml.jackson.dataformat/jackson-dataformat-xml/2.14.2, Apache-2.0, approved, #4300
6261
maven/mavencentral/com.fasterxml.jackson.dataformat/jackson-dataformat-xml/2.15.3, Apache-2.0, approved, #9237
6362
maven/mavencentral/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.12.1, Apache-2.0, approved, CQ23167
6463
maven/mavencentral/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.15.1, Apache-2.0, approved, #8802
6564
maven/mavencentral/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/2.15.3, Apache-2.0, approved, #8802
6665
maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jakarta-jsonp/2.15.3, Apache-2.0, approved, #9179
67-
maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-joda/2.10.5, Apache-2.0, approved, clearlydefined
68-
maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-joda/2.15.3, , restricted, clearlydefined
6966
maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.12.1, Apache-2.0, approved, CQ23727
7067
maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.13.5, Apache-2.0, approved, clearlydefined
7168
maven/mavencentral/com.fasterxml.jackson.datatype/jackson-datatype-jsr310/2.14.2, Apache-2.0, approved, #4699
@@ -86,37 +83,24 @@ maven/mavencentral/com.github.stephenc.jcip/jcip-annotations/1.0-1, Apache-2.0,
8683
maven/mavencentral/com.google.code.findbugs/jsr305/3.0.2, Apache-2.0, approved, #20
8784
maven/mavencentral/com.google.errorprone/error_prone_annotations/2.7.1, Apache-2.0, approved, clearlydefined
8885
maven/mavencentral/com.google.guava/failureaccess/1.0.1, Apache-2.0, approved, CQ22654
89-
maven/mavencentral/com.google.guava/guava/20.0, Apache-2.0, approved, CQ12329
9086
maven/mavencentral/com.google.guava/guava/31.0.1-jre, Apache-2.0, approved, clearlydefined
9187
maven/mavencentral/com.google.guava/listenablefuture/9999.0-empty-to-avoid-conflict-with-guava, Apache-2.0, approved, CQ22657
9288
maven/mavencentral/com.google.j2objc/j2objc-annotations/1.3, Apache-2.0, approved, CQ21195
93-
maven/mavencentral/com.microsoft.azure/azure-annotations/1.10.0, MIT, approved, clearlydefined
94-
maven/mavencentral/com.microsoft.azure/azure-client-runtime/1.7.14, MIT, approved, clearlydefined
95-
maven/mavencentral/com.microsoft.azure/azure-mgmt-resources/1.41.4, MIT, approved, clearlydefined
9689
maven/mavencentral/com.microsoft.azure/msal4j-persistence-extension/1.2.0, MIT, approved, clearlydefined
9790
maven/mavencentral/com.microsoft.azure/msal4j/1.13.9, MIT, approved, clearlydefined
9891
maven/mavencentral/com.microsoft.azure/msal4j/1.4.0, MIT, approved, clearlydefined
99-
maven/mavencentral/com.microsoft.rest/client-runtime/1.7.14, MIT, approved, clearlydefined
10092
maven/mavencentral/com.nimbusds/content-type/2.2, Apache-2.0, approved, clearlydefined
10193
maven/mavencentral/com.nimbusds/lang-tag/1.7, Apache-2.0, approved, clearlydefined
10294
maven/mavencentral/com.nimbusds/nimbus-jose-jwt/9.25, Apache-2.0, approved, clearlydefined
10395
maven/mavencentral/com.nimbusds/nimbus-jose-jwt/9.30.2, Apache-2.0, approved, clearlydefined
10496
maven/mavencentral/com.nimbusds/nimbus-jose-jwt/9.37, Apache-2.0, approved, #11086
10597
maven/mavencentral/com.nimbusds/oauth2-oidc-sdk/10.7.1, Apache-2.0, approved, clearlydefined
10698
maven/mavencentral/com.puppycrawl.tools/checkstyle/10.0, LGPL-2.1-or-later, approved, #7936
107-
maven/mavencentral/com.squareup.okhttp3/logging-interceptor/3.12.12, Apache-2.0, approved, clearlydefined
108-
maven/mavencentral/com.squareup.okhttp3/okhttp-dnsoverhttps/4.11.0, Apache-2.0, approved, clearlydefined
109-
maven/mavencentral/com.squareup.okhttp3/okhttp-urlconnection/3.12.12, Apache-2.0, approved, clearlydefined
110-
maven/mavencentral/com.squareup.okhttp3/okhttp/3.12.0, Apache-2.0, approved, CQ19549
111-
maven/mavencentral/com.squareup.okhttp3/okhttp/3.12.12, Apache-2.0, approved, CQ19549
112-
maven/mavencentral/com.squareup.okhttp3/okhttp/4.11.0, Apache-2.0, approved, #9240
99+
maven/mavencentral/com.squareup.okhttp3/okhttp-dnsoverhttps/4.12.0, Apache-2.0, approved, #11159
100+
maven/mavencentral/com.squareup.okhttp3/okhttp/4.12.0, Apache-2.0, approved, #11156
113101
maven/mavencentral/com.squareup.okhttp3/okhttp/4.9.3, Apache-2.0 AND MPL-2.0, approved, #3225
114-
maven/mavencentral/com.squareup.okio/okio-jvm/3.2.0, Apache-2.0, approved, clearlydefined
115-
maven/mavencentral/com.squareup.okio/okio/1.15.0, Apache-2.0, approved, CQ20187
116-
maven/mavencentral/com.squareup.okio/okio/3.2.0, Apache-2.0, approved, clearlydefined
117-
maven/mavencentral/com.squareup.retrofit2/adapter-rxjava/2.6.4, Apache-2.0, approved, clearlydefined
118-
maven/mavencentral/com.squareup.retrofit2/converter-jackson/2.6.4, Apache-2.0, approved, clearlydefined
119-
maven/mavencentral/com.squareup.retrofit2/retrofit/2.6.4, Apache-2.0, approved, clearlydefined
102+
maven/mavencentral/com.squareup.okio/okio-jvm/3.6.0, Apache-2.0, approved, #11158
103+
maven/mavencentral/com.squareup.okio/okio/3.6.0, Apache-2.0, approved, #11155
120104
maven/mavencentral/com.sun.activation/jakarta.activation/2.0.0, EPL-2.0 OR BSD-3-Clause OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.jaf
121105
maven/mavencentral/commons-beanutils/commons-beanutils/1.9.4, Apache-2.0, approved, CQ12654
122106
maven/mavencentral/commons-codec/commons-codec/1.11, Apache-2.0 AND BSD-3-Clause, approved, CQ15971
@@ -154,8 +138,6 @@ maven/mavencentral/io.opentelemetry/opentelemetry-context/1.31.0, Apache-2.0, ap
154138
maven/mavencentral/io.projectreactor.netty/reactor-netty-core/1.0.34, Apache-2.0, approved, #9687
155139
maven/mavencentral/io.projectreactor.netty/reactor-netty-http/1.0.34, Apache-2.0, approved, clearlydefined
156140
maven/mavencentral/io.projectreactor/reactor-core/3.4.31, Apache-2.0, approved, #7517
157-
maven/mavencentral/io.reactivex/rxjava/1.3.0, Apache-2.0, approved, clearlydefined
158-
maven/mavencentral/io.reactivex/rxjava/1.3.8, Apache-2.0, approved, clearlydefined
159141
maven/mavencentral/io.rest-assured/json-path/5.3.2, Apache-2.0, approved, #9261
160142
maven/mavencentral/io.rest-assured/rest-assured-common/5.3.2, Apache-2.0, approved, #9264
161143
maven/mavencentral/io.rest-assured/rest-assured/5.3.2, Apache-2.0, approved, #9262
@@ -181,7 +163,6 @@ maven/mavencentral/jakarta.validation/jakarta.validation-api/3.0.2, Apache-2.0,
181163
maven/mavencentral/jakarta.ws.rs/jakarta.ws.rs-api/3.1.0, EPL-2.0 OR GPL-2.0-only with Classpath-exception-2.0, approved, ee4j.rest
182164
maven/mavencentral/jakarta.xml.bind/jakarta.xml.bind-api/3.0.0, BSD-3-Clause, approved, ee4j.jaxb
183165
maven/mavencentral/jakarta.xml.bind/jakarta.xml.bind-api/4.0.0, BSD-3-Clause, approved, ee4j.jaxb
184-
maven/mavencentral/joda-time/joda-time/2.10.14, Apache-2.0, approved, clearlydefined
185166
maven/mavencentral/junit/junit/4.13.2, EPL-2.0, approved, CQ23636
186167
maven/mavencentral/net.bytebuddy/byte-buddy-agent/1.14.1, Apache-2.0, approved, #7164
187168
maven/mavencentral/net.bytebuddy/byte-buddy/1.12.10, Apache-2.0 AND BSD-3-Clause, approved, #1811
@@ -198,14 +179,12 @@ maven/mavencentral/org.antlr/antlr4-runtime/4.9.3, BSD-3-Clause, approved, #322
198179
maven/mavencentral/org.apache.commons/commons-compress/1.24.0, Apache-2.0 AND BSD-3-Clause AND bzip2-1.0.6 AND LicenseRef-Public-Domain, approved, #10368
199180
maven/mavencentral/org.apache.commons/commons-lang3/3.11, Apache-2.0, approved, CQ22642
200181
maven/mavencentral/org.apache.commons/commons-lang3/3.12.0, Apache-2.0, approved, clearlydefined
201-
maven/mavencentral/org.apache.commons/commons-lang3/3.4, Apache-2.0, approved, CQ9623
202182
maven/mavencentral/org.apache.groovy/groovy-bom/4.0.11, Apache-2.0, approved, #9266
203183
maven/mavencentral/org.apache.groovy/groovy-json/4.0.11, Apache-2.0, approved, #7411
204184
maven/mavencentral/org.apache.groovy/groovy-xml/4.0.11, Apache-2.0, approved, #10179
205185
maven/mavencentral/org.apache.groovy/groovy/4.0.11, Apache-2.0 AND BSD-3-Clause AND MIT, approved, #1742
206186
maven/mavencentral/org.apache.httpcomponents/httpclient/4.5.13, Apache-2.0 AND LicenseRef-Public-Domain, approved, CQ23527
207187
maven/mavencentral/org.apache.httpcomponents/httpcore/4.4.13, Apache-2.0, approved, CQ23528
208-
maven/mavencentral/org.apache.httpcomponents/httpcore/4.4.5, Apache-2.0, approved, CQ11716
209188
maven/mavencentral/org.apache.httpcomponents/httpmime/4.5.13, Apache-2.0, approved, CQ11718
210189
maven/mavencentral/org.apiguardian/apiguardian-api/1.1.2, Apache-2.0, approved, clearlydefined
211190
maven/mavencentral/org.assertj/assertj-core/3.23.1, Apache-2.0, approved, clearlydefined
@@ -367,11 +346,11 @@ maven/mavencentral/org.jacoco/org.jacoco.report/0.8.8, EPL-2.0 AND Apache-2.0, a
367346
maven/mavencentral/org.javassist/javassist/3.25.0-GA, MPL-1.1 OR LGPL-2.1-or-later OR Apache-2.0, approved, CQ19885
368347
maven/mavencentral/org.javassist/javassist/3.28.0-GA, Apache-2.0 OR LGPL-2.1-or-later OR MPL-1.1, approved, #327
369348
maven/mavencentral/org.javassist/javassist/3.29.2-GA, Apache-2.0 AND LGPL-2.1-or-later AND MPL-1.1, approved, #6023
370-
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-common/1.6.20, Apache-2.0, approved, clearlydefined
371-
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-jdk7/1.6.20, Apache-2.0, approved, clearlydefined
372-
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-jdk8/1.6.10, Apache-2.0, approved, clearlydefined
373-
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-jdk8/1.6.20, Apache-2.0, approved, clearlydefined
374-
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib/1.6.20, Apache-2.0, approved, clearlydefined
349+
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-common/1.9.10, Apache-2.0, approved, clearlydefined
350+
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-jdk7/1.9.10, Apache-2.0, approved, clearlydefined
351+
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-jdk8/1.8.21, Apache-2.0, approved, #8919
352+
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib-jdk8/1.9.10, Apache-2.0, approved, clearlydefined
353+
maven/mavencentral/org.jetbrains.kotlin/kotlin-stdlib/1.9.10, Apache-2.0, approved, clearlydefined
375354
maven/mavencentral/org.jetbrains/annotations/13.0, Apache-2.0, approved, clearlydefined
376355
maven/mavencentral/org.jetbrains/annotations/17.0.0, Apache-2.0, approved, clearlydefined
377356
maven/mavencentral/org.jetbrains/annotations/24.0.1, Apache-2.0, approved, #7417
@@ -391,7 +370,6 @@ maven/mavencentral/org.junit/junit-bom/5.10.0, EPL-2.0, approved, #9844
391370
maven/mavencentral/org.junit/junit-bom/5.9.2, EPL-2.0, approved, #4711
392371
maven/mavencentral/org.jvnet.mimepull/mimepull/1.9.15, CDDL-1.1 OR GPL-2.0-only WITH Classpath-exception-2.0, approved, CQ21484
393372
maven/mavencentral/org.mockito/mockito-core/5.2.0, MIT AND (Apache-2.0 AND MIT) AND Apache-2.0, approved, #7401
394-
maven/mavencentral/org.mockito/mockito-inline/5.2.0, MIT, approved, clearlydefined
395373
maven/mavencentral/org.objenesis/objenesis/3.3, Apache-2.0, approved, clearlydefined
396374
maven/mavencentral/org.opentest4j/opentest4j/1.2.0, Apache-2.0, approved, clearlydefined
397375
maven/mavencentral/org.opentest4j/opentest4j/1.3.0, Apache-2.0, approved, #9713
@@ -407,7 +385,6 @@ maven/mavencentral/org.postgresql/postgresql/42.6.0, BSD-2-Clause AND Apache-2.0
407385
maven/mavencentral/org.reactivestreams/reactive-streams/1.0.4, CC0-1.0, approved, CQ16332
408386
maven/mavencentral/org.reflections/reflections/0.10.2, Apache-2.0 AND WTFPL, approved, clearlydefined
409387
maven/mavencentral/org.rnorth.duct-tape/duct-tape/1.0.8, MIT, approved, clearlydefined
410-
maven/mavencentral/org.slf4j/slf4j-api/1.7.22, MIT, approved, CQ11943
411388
maven/mavencentral/org.slf4j/slf4j-api/1.7.25, MIT, approved, CQ13368
412389
maven/mavencentral/org.slf4j/slf4j-api/1.7.30, MIT, approved, CQ13368
413390
maven/mavencentral/org.slf4j/slf4j-api/1.7.35, MIT, approved, CQ13368

extensions/common/azure/azure-resource-manager/src/main/java/org/eclipse/edc/azure/resourcemanager/AzureResourceManagerExtension.java

Lines changed: 3 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -23,32 +23,25 @@
2323
import org.eclipse.edc.runtime.metamodel.annotation.Provides;
2424
import org.eclipse.edc.spi.system.ServiceExtension;
2525
import org.eclipse.edc.spi.system.ServiceExtensionContext;
26-
import org.eclipse.edc.spi.system.SettingResolver;
27-
28-
import java.util.Objects;
2926

3027
/**
3128
* Provides Azure Identity SDK and Azure Resource Manager SDK objects configured based on runtime settings.
3229
*/
33-
@Provides({ AzureEnvironment.class, TokenCredential.class, AzureProfile.class, AzureResourceManager.class })
30+
@Provides({AzureEnvironment.class, TokenCredential.class, AzureProfile.class, AzureResourceManager.class})
3431
@Extension(value = AzureResourceManagerExtension.NAME)
3532
public class AzureResourceManagerExtension implements ServiceExtension {
3633

3734
public static final String NAME = "Azure Resource Manager";
3835

39-
private static String requiredSetting(SettingResolver context, String s) {
40-
return Objects.requireNonNull(context.getSetting(s, null), s);
41-
}
42-
4336
@Override
4437
public String name() {
4538
return NAME;
4639
}
4740

4841
@Override
4942
public void initialize(ServiceExtensionContext context) {
50-
var tenantId = requiredSetting(context, "edc.azure.tenant.id");
51-
var subscriptionId = requiredSetting(context, "edc.azure.subscription.id");
43+
var tenantId = context.getConfig().getString("edc.azure.tenant.id");
44+
var subscriptionId = context.getConfig().getString("edc.azure.subscription.id");
5245

5346
// Detect credential source based on runtime environment, e.g. Azure CLI, environment variables
5447
var credential = new DefaultAzureCredentialBuilder().build();

extensions/common/vault/vault-azure/README.md

Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
# Azure Key Vault Extension
2+
3+
The extension provides a `Vault` implementation interfacing with an Azure Key Vault.
4+
5+
## Authentication
6+
7+
This extension connects to Azure Key Vault using the
8+
standard `AzureDefaultCredential`
9+
provided by the Azure Identity library. This generic credential fits most use-cases and will attempt to authenticate via
10+
a predefined chain of methods until one is successful. More details about the authentication methods used can be found
11+
in
12+
this [page]([DefaultAzureCredential](https://learn.microsoft.com/en-gb/java/api/com.azure.identity.defaultazurecredential?view=azure-java-stable)).
13+
14+
### Example 1: connect with Principal client id and a client secret (see [EnvironmentCredential](https://learn.microsoft.com/en-gb/java/api/com.azure.identity.environmentcredential?view=azure-java-stable))
15+
16+
The following environments variables must be set:
17+
18+
- `AZURE_CLIENT_ID`
19+
- `AZURE_CLIENT_SECRET`
20+
- `AZURE_TENANT_ID`
21+
-
22+
23+
### Example 2: connect with Principal client id and a client certificate (see [EnvironmentCredential](https://learn.microsoft.com/en-gb/java/api/com.azure.identity.environmentcredential?view=azure-java-stable))
24+
25+
The following environments variables must be set:
26+
27+
- `AZURE_CLIENT_ID`
28+
- `AZURE_CLIENT_CERTIFICATE_PATH`
29+
- `AZURE_CLIENT_CERTIFICATE_PASSWORD`
30+
- `AZURE_TENANT_ID`
31+
32+
33+
34+

extensions/common/vault/vault-azure/build.gradle.kts

Lines changed: 1 addition & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -20,16 +20,10 @@ plugins {
2020
dependencies {
2121
api(libs.edc.spi.core)
2222

23-
implementation(libs.edc.util)
2423
implementation(libs.azure.keyvault)
2524
implementation(libs.azure.identity)
26-
implementation(libs.jakarta.rsApi)
2725

28-
testImplementation(libs.azure.mgmt.resources)
29-
testImplementation(libs.azure.resourcemanager)
30-
testImplementation(libs.azure.resourcemanager.keyvault)
31-
32-
testImplementation(libs.mockito.inline)
26+
testImplementation(libs.edc.junit)
3327
}
3428

3529

extensions/common/vault/vault-azure/src/main/java/org/eclipse/edc/vault/azure/AzureVault.java

Lines changed: 0 additions & 32 deletions
Original file line numberDiff line numberDiff line change
@@ -14,13 +14,9 @@
1414

1515
package org.eclipse.edc.vault.azure;
1616

17-
import com.azure.core.credential.TokenCredential;
1817
import com.azure.core.exception.ResourceNotFoundException;
1918
import com.azure.core.util.polling.SyncPoller;
20-
import com.azure.identity.ClientCertificateCredentialBuilder;
21-
import com.azure.identity.ClientSecretCredentialBuilder;
2219
import com.azure.security.keyvault.secrets.SecretClient;
23-
import com.azure.security.keyvault.secrets.SecretClientBuilder;
2420
import com.azure.security.keyvault.secrets.models.DeletedSecret;
2521
import org.eclipse.edc.spi.monitor.Monitor;
2622
import org.eclipse.edc.spi.result.Result;
@@ -50,34 +46,6 @@ public AzureVault(Monitor monitor, SecretClient secretClient) {
5046
this.secretClient = secretClient;
5147
}
5248

53-
public static AzureVault authenticateWithSecret(Monitor monitor, String clientId, String tenantId, String clientSecret, String keyVaultName) {
54-
var credential = new ClientSecretCredentialBuilder()
55-
.clientId(clientId)
56-
.tenantId(tenantId)
57-
.clientSecret(clientSecret)
58-
.build();
59-
60-
return new AzureVault(monitor, createSecretClient(credential, keyVaultName));
61-
}
62-
63-
public static AzureVault authenticateWithCertificate(Monitor monitor, String clientId, String tenantId, String certificatePath, String keyVaultName) {
64-
var credential = new ClientCertificateCredentialBuilder()
65-
.clientId(clientId)
66-
.tenantId(tenantId)
67-
.pfxCertificate(certificatePath, "")
68-
.build();
69-
70-
return new AzureVault(monitor, createSecretClient(credential, keyVaultName));
71-
}
72-
73-
@NotNull
74-
private static SecretClient createSecretClient(TokenCredential credential, String keyVaultName) {
75-
return new SecretClientBuilder()
76-
.vaultUrl("https://" + keyVaultName + ".vault.azure.net")
77-
.credential(credential)
78-
.buildClient();
79-
}
80-
8149
@Override
8250
public @Nullable String resolveSecret(String key) {
8351
var sanitizedKey = sanitizeKey(key);

extensions/common/vault/vault-azure/src/main/java/org/eclipse/edc/vault/azure/AzureVaultException.java

Lines changed: 0 additions & 21 deletions
This file was deleted.

0 commit comments

Comments
 (0)