Azure Government KeyVault Provider Error with Service Principal Auth

[dauntlessXXI]

Describe the solution you'd like
To be able to use Service Principal auth for Azure Government. Managed Identity auth is deprecated and Workload Identity auth is in preview.

What is the added value?
Allows External Secrets operator to be used in Azure Gov.

Give us examples of the outcome
N/A

Observations (Constraints, Context, etc):

When creating a SecretStore with a vaultUrl of https://<vaultName>.vault.usgovcloudapi.net and a Azure Gov tenantId I get a "valid" status. However, when the ExternalSecret attempts to pull the secret I get the following error:

azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://<redacted>.vault.usgovcloudapi.net/secrets/example-externalsecret-key/?api-version=2016-10-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"AADSTS900382: Confidential Client is not supported in Cross Cloud request.\r\nTrace ID: <redacted>\r\nCorrelation ID: <redacted>\r\nTimestamp: 2022-08-16 16:26:37Z","error_codes":[900382],"timestamp":"2022-08-16 16:26:37Z","trace_id":"<redacted>","correlation_id":"<redacted>"} Endpoint https://login.microsoftonline.com/<redacted>/oauth2/token?api-version=1.0

I think this is due at least in part to the endpoint being https://login.microsoftonline.com instead of https://login.microsoftonline.us. Is there anything I am missing to get this to work for Azure Gov? If not I hope this can be fixed as it is preventing us from migrating from KES to ESO.

[moolen]

Do you use workload identity? Could you please share your SecretStore?

First thought: either we have to change the Workload Identity URL (which is hard-coded for the time being) - or we have to supply the correct URL.

At a first glance that is probably here: https://github.com/external-secrets/external-secrets/blob/main/pkg/provider/azure/keyvault/keyvault.go#L559-L560 by specifying the AADEndpoint.

[dauntlessXXI]

@moolen Workload Identity is not an option for Azure Gov because it requires OIDC Issuer which is in preview https://docs.microsoft.com/en-us/azure/aks/cluster-configuration#oidc-issuer-preview.

I am experiencing this issue when using Service Principal auth, mostly following the steps from this guide https://blog.container-solutions.com/tutorial-external-secrets-with-azure-keyvault.

Here is the SecretStore and ExternalSecret

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: azure-backend
spec:
  provider:
    azurekv:
      tenantId: <redacted>
      vaultUrl: "https://<redacted>.vault.usgovcloudapi.net/"
      authSecretRef:
        clientId:
          name: azure-secret-sp
          key: ClientID
        clientSecret:
          name: azure-secret-sp
          key: ClientSecret
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: azure-example
spec:
  refreshInterval: 1m
  secretStoreRef:
    kind: SecretStore
    name: azure-backend
  target:
    name: azure-secret
  data:
  - secretKey: foobar
    remoteRef:
      key: example-externalsecret-key

[dauntlessXXI]

I have also tested with Managed Identity auth. Unfortunately there is a similar issue where it doesn't appear Azure Gov is supported.

SecretStore:

apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: azure-backend
spec:
  provider:
    azurekv:
      authType: ManagedIdentity
      tenantId: "<redacted>"
      identityId: "<redacted>"
      vaultUrl: "https://<redacted>.vault.usgovcloudapi.net/"

Error:

keyvault.BaseClient#GetSecret: Failure responding to request: StatusCode=401 -- Original Error: autorest/azure: Service returned an error. Status=401 Code="Unauthorized" Message="AKV10022: Invalid audience. Expected https://vault.usgovcloudapi.net, found: https://vault.azure.net."

[moolen]

Thanks for that info! I'm working on a fix 👆 . Tho i don't think i can't test this as i'm not eligible for an USGov subscription. @gusfcarvalho do you have access to a USGov testing environment?

or cloud you @dauntlessXXI assist with testing?

[dauntlessXXI]

@moolen how can I test this prior to it being packaged to a release? Or can we get it packaged to a release?

I clone the repository, run make helm.build, then do a helm install of the chart that was created in the bin directory. The --set installCRDs=true did not seem to work so I did a kubectl apply -f deploy/crds/bundle.yaml to get the CRDs. After doing all this and setting environmentType: USGovernmentCloud in the SecretStore I still get the original issues. Is there something I am missing to be able to test this from the main branch?

[moolen]

Hey, we have docs here on how to run the latest image: https://external-secrets.io/v0.5.9/guides-using-latest-image/

Let me know if that helps.

[dauntlessXXI]

Was able to confirm the fix using the above method. Thanks @moolen