I'm deploying my java application in openshift project. I have created service account, but now I dont know how to obtain token for this account inside my java application, that relates to this account.
I'm using openshift java rest client v.6.1.1. My authorization looks like
Client client = new ClientBuilder(KEY_SERVER_URL).build();
client.getAuthorizationContext().setToken(System.getenv(TOKEN));
and it seems unsecure to pass token as environment variable.
Can you help me with obtaining AuthorizationContext using service account, related to this application?
The token for the service account is mounted inside the pod and can be read from /var/run/secrets/kubernetes.io/serviceaccount/token
Related
I am trying to connect to Azure KeyVault from my locally running Spring Boot Application. I can't keep those secrets to be saved in keyvault in different properties or yaml during dev, because my application will generate and delete so many secrets and tokens to be saved in keyvault in the run time.
I am aware of the process in which we can create an Azure service principal from your application registration. And use
azure.keyvault.client-id
azure.keyvault.client-key
in application.properties to connect.
But it may not be allowed to be created Azure service principal in our case. So is there any way to connect to key vault using MSI from locally running SpringBoot application.
using MSI_ENDPOINT
and MSI_SECRET
So is there any way to connect to key vault using MSI from locally running SpringBoot application.
using MSI_ENDPOINT and MSI_SECRET
I don't think you can use MSI_ENDPOINT and MSI_SECRET get the token in local, it just works when the web app published in the cloud.
But it may not be allowed to be created Azure service principal in our case.
As you know, you can use the service principal client id and secret(key) to access the keyvault. Actually, when enabling the MSI of the web app, it will create a service principal in your Azure AD tenant automatically. So you can just use the client id and secret of it.
Navigate to the portal -> Azure Active Directory -> Enterprise applications -> search for your web app name(select the Application Type with All Applications), then you get the client id(application id).
Note: Remember to check the object id of the service principal with that in your web app -> Identity, make sure you use the correct one.
For the service principal secret, you could create it via powershell like below(your account need the admin role Application administrator or Global administrator in your AAD tenant).
New-AzureADServicePrincipalPasswordCredential -ObjectId <service principal object id>
Then you will be able to access the keyvault with the client id and secret. For details in java, you can refer to this link.
You can't get it using those variables because locally there is no Azure AD Identity Registered on your local machine and as such Microsoft didn't build any MSI emulator so no variables will be set.
I can recommend what Microsoft did in their .NET library
Run Azure CLI and log in
In code check for variables and if they don't exist then run CLI command
az account get-access-token --resource 'https://vault.azure.net'
In CLI simply log into either principal or your account. Make sure to add this account/your account to KeyVault policy.
I know it's weird but I you can even check it HERE on their GitHub.
I might have an article that will help you in case you want more details
https://marczak.io/posts/2019/07/securing-websites-with-msi/
I am using google app engine and google datastore.
I am using the google library
com.google.cloud.datastore.Datastore
My sample code is:
Datastore datastore = DatastoreOptions.getDefaultInstance().getService();
Key taskKey = datastore.newKeyFactory().setKind(entityName).newKey(id);
//populate some fields....
datastore.put(task);
I am using spring-boot and jetty as a container.
On local, it is working properly and the data updated in the google datastore.
The issue is when im deploying the app to the google-app-engine, im getting the Below exception when i get to datastore.put method.
com.google.cloud.datastore.DatastoreException: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. See https://developers.google.com/identity/sign-in/web/devconsole-project.
com.google.cloud.datastore.spi.v1.HttpDatastoreRpc.translate(HttpDatastoreRpc.java:129)
com.google.cloud.datastore.spi.v1.HttpDatastoreRpc.commit(HttpDatastoreRpc.java:155)
com.google.cloud.datastore.DatastoreImpl$4.call(DatastoreImpl.java:485)
Note: in both, on local environment and google-app-engine, i defined the environment variable GOOGLE_APPLICATION_CREDENTIALS that point to json file with all required credentials generated by google API.
According to the documentation for connecting to Datastore from App Engine in Java, there are several options available, so you can either go with Objectify (third party library), Datastore API or Datastore Client Library.
With the usage of Client Libraries, you must know that they make use of the Application Default Credentials, in such a way that, as documented, if the environment variable GOOGLE_APPLICATION_CREDENTIALS, ADC uses the default service account that App Engine provides for applications running over that service. So in your case, I think you should not define the environment variable, so that App Engine uses its default Service Account.
if you still struggling with com.google.cloud.datastore.DatastoreException: Request is missing required authentication credential. Expected OAuth 2 access token, login cookie or other valid authentication credential. you can set credentials explicitly, like it is shown in the example below:
Resource credentialsCyberpower = resourceLoader.getResource("classpath:yourservice-datastore-access.json");
GoogleCredentials credentials = GoogleCredentials.fromStream(credentialsCyberpower.getInputStream())
.createScoped(Lists.newArrayList("https://www.googleapis.com/auth/cloud-platform"));
DatastoreOptions options =
DatastoreOptions.newBuilder().setProjectId("XXXXXX").setCredentials(credentials).build();
Datastore datastore = options.getService();
ObjectifyService.init(new ObjectifyFactory(datastore));
generate yourservice-datastore-access.json in IAM service accounts. working with Objectify 6.0.5
If you are using <url-stream-handler>urlfetch</url-stream-handler> with Java8 and Objectify 6 you will have to switch into native and enable billing.
I was hit by this issue recently and spend a lot of time on fixing the problem, more info can be found here
Hey everyone:D I'd like to get json with lists of pods from openshift. I'm using :
Node[] nodes = template.getForObject("[url_address]/api/v1/nodes", Node[].class);
but its need authentication, so how to solve this problemm. Any idea??
The authorization requires a valid bearer token, default kubernetes client library should use service account mounted to pod to attempt to authenticate properly. It is likely that you either do not use the client lib that does that for you or have no proper serviceaccount bound to the pod (or SA has no access granted to required resources).
For that you may want to just add the access rights to the default account for this project.
https://docs.openshift.com/container-platform/3.3/admin_solutions/user_role_mgmt.html
I have a java web application(hosted in Linux) which speaks to a document management system which is a .NET based system via rest services. By default SSO Kerberos authentication is used in document system and for the same we are passing SSO Token to identify the user who accesses our application via web browser. This works fine and the document system is able to identify the user and allows user to upload document.
However we have a problem when a user who belongs to a different domain/AD tries to access the application. This is due to the external trust level between the environment document service is hosted and user environment. The document mgmt system supports NTLM authentication to handle this scenario and we were told that we need to pass credential object in the request. It appears there are easy ways for .NET client to extract user credential using CredentialCache object but I am struggling to find equivalent in Java.
I am trying to find out a way to pull the users windows credential so that I can set in the credentials object before i send the request to document system. Our application is SSO enabled, hence we dont want the user to explicitly pass his windows credential.
I want to know how to do authenticate for REST web service in java?
My supervisor want to get the format like amazon s3curl.
Everytime user request, they need to give id key and access key.
Which API should i used or for reference or sample code?
Amazon has an AWS SDK for Java that includes a sample S3 project, from which you could learn how they do authentication.