我正在开发一个用 Kotlin 和 Spring 编写的项目,在 Azure Kubernetes 服务 (AKS) 上执行,并且我使用该库
com.azure.spring:azure-spring-boot-starter-keyvault-certificates:3.14.0
并使用以下代码:
KeyStore.getInstance("AzureKeyVault").load(KeyVaultLoadStoreParameter(keyVaultUri)
检索 java.security.KeyStore
。
之前我使用的是 Azure AD Pod Identity 并且代码工作正常,但是当我切换到 Azure AD Workload Identity 时,我得到:
Caused by: java.lang.NullPointerException: Cannot invoke "com.azure.security.keyvault.jca.implementation.model.AccessToken.getAccessToken()" because "this.accessToken" is null
at com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAccessToken(KeyVaultClient.java:195) ~[azure-security-keyvault-jca-2.6.0.jar!/:2.6.0]
at com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAliases(KeyVaultClient.java:233) ~[azure-security-keyvault-jca-2.6.0.jar!/:2.6.0]
at com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.refreshCertificates(KeyVaultCertificates.java:142) ~[azure-security-keyvault-jca-2.6.0.jar!/:2.6.0]
at com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.refreshCertificatesIfNeeded(KeyVaultCertificates.java:130) ~[azure-security-keyvault-jca-2.6.0.jar!/:2.6.0]
at com.azure.security.keyvault.jca.implementation.certificates.KeyVaultCertificates.getCertificateKeys(KeyVaultCertificates.java:122) ~[azure-security-keyvault-jca-2.6.0.jar!/:2.6.0]
我还使用 Azure AD Workload Identity 依靠
WorkloadIdentityCredentialBuilder().build()
与 CosmosDB、ServiceBus 进行通信,一切正常。
我认为
com.azure.spring:azure-spring-boot-starter-keyvault-certificates:3.14.0
失败,因为使用 Azure AD Workload Identity 获取令牌的过程有些不同,但我不确定到底是什么导致了此问题。
为了从 Azure KeyVault 获取证书
java.security.KeyStore
,我最终使用了以下方法:
val secretClient = SecretClientBuilder()
.vaultUrl(keyVaultUrl)
.credential(DefaultAzureCredentialBuilder().build())
.buildClient()
val certificateWithKey = secretClient.getSecret(certificateName, null).value
val keyStore = KeyStore.getInstance("JKS")
keyStore.load(Base64.getDecoder().decode(certificateWithKey).inputStream(), "".toCharArray())