I have to retrieve secrets from Azure Vault but my app uses jdk 5. This is a problem because the azure libraries used and described in Microsoft docs require at minimum jdk 8 and upgrading the jdk is not an option.
The client's architect says that I can consume some vault api and use bouncy castle's tls api to achieve this but I'm not sure what is he talking about.
This sounds too low level. I'm asking for guidance, some superfluous explanation can get me going. How can I obtain secrets using Java 5?
As the architect says, you could retrieve a secret from Key Vault by Key Vault REST API instead of azure libraries.
GET https://{yourvault}.vault.azure.net/secrets?api-version=7.1
This API is used to list secrets in a specified key vault. And you could get a specified secret from a given key vault by this link.
First, get access_token with Post via ApacheHttpClient.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client_id={your-client-id}
&scope=https%3A%2F%2Fvault.azure.net%2F.default
&client_secret={your-client-secret}
&grant_type=client_credentials
Then, call the REST API with Get via ApacheHttpClient.
GET https://{yourvault}.vault.azure.net/secrets?api-version=7.1
Authorization: Bearer {access_token}
I try this with Postman, and it works well. You could use httpclient to obtain secrets by java.
Note:
Navigate to Azure Portal > Key vaults > your_key_vault > Access policies > Add Access Policy. In secret permissions field, select desired permissions and Select Principal section, select the application that you are using to access the secret.
Related
I would like to connect to Azure AD using client certificate - not id and secret
The certificate is in a folder, not in the key store
We have some limitations, so cant use msal4j.
So looking to create a token like - get Access Token from Azure AD Java
but using a certificate
Please can anyone tell - how to create token using http connection api?
You could use client credentials flow with client certificate.
POST http://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
scope=https://graph.microsoft.com/.default
&client_id=<client_id>
&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer
&client_assertion=<An assertion (a JSON web token)>
&grant_type=client_credentials
Client assertions can be used anywhere a client secret would be used. You can replace client_secret with client_assertion and client_assertion_type parameters. You could refer to the code sample with java.
I'm looking at the below link which explains how to use AWS API to send emails. How would the below example work in prod environment since AWS access key ID and AWS secret access key added to the credential file would expire after some time.
https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-using-sdk-java.html
I can see how AWS SES SMTP can be used to send emails since the credentials don't change can be saved in a file on a server but unsure how SES API in the above link can be used.
Store your AWS credentials in Secrets Manager and automate the key rotation using SNS + Lambda, from there you could send the newly updated keys to your application through an endpoint.
Use this guide from the AWS Documentation as a somewhat relevant source of what you're trying to accomplish:
https://docs.aws.amazon.com/prescriptive-guidance/latest/patterns/automatically-rotate-iam-user-access-keys.html
I am using the Java AWS IoT SDK, and i'm I'm stuck with a problem whereby I have to embed my AWS IAM access key and secret key credentials into my Java application code on my devices.
The credentials are just used initially to create the client in my code, then X.509 certificates are used after for the MQTT authentication and communication. .
I've heard of a way to avoid the need of embedding IAM credentials in the code by using AWSCredentialsProvider with tokens etc. However, I don't see any actual examples of how to achieve this without embedding credentials. Below is a snippet of my code showing how I create the client object using the credentials. Thanks.
String AWS_ACCESSKEY = "AKXXXXXXXXXXXXX"; // not real key
String AWS_SECRETKEY = "ABCXXXXXXXXXXXXXXXXXXXXXX"; // not real key
Regions AWS_REGION = Regions.US_EAST_2;
AWSIot client = AWSIotClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(new
BasicAWSCredentials(AWS_ACCESSKEY, AWS_SECRETKEY))).withRegion(AWS_REGION).build();
You can pass this credentials to normal application.properties file.
You just need to do 2 things.
Create public class AwsCredentials with annotations #ConfigurationProperties and #Configuration.
Pass Your access and secret to application.properties file
You can read more in this tutorial : click
Next when You want to use this properties in builder You need to call it like this:
AWSIot client = AWSIotClientBuilder.standard()
.withCredentials(
new AWSStaticCredentialsProvider(
new BasicAWSCredentials(
this.awsCredentials.getAccessKey(),
this.awsCredentials.getSecretKey()
)
)
)
.withRegion(AWS_REGION)
.build();
PS. You can export region to properties too.
You can use temporary security credentials instead of actual access keys. Do check this link.
https://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.html
To get credentials to access AWS IoT (or other services) you could get temporary security credentials from Cognito Identity Pool. You can find the simplest way and steps needed to do get credentials here.
Also consider that, to get idToken (JWT) from Cognito user pool and then access and secret token Cognito Identity pool, you need to use AWS Java SDK in your mobile or desktop application. You can find more information about AWS JAVA SDK here and some samples here, here, .
I’m writing this post to ask for a assistance with AWS s3 sdk. I can’t find any example of how to approach with MFA and java sdk. In the web console I’m using security token for login then switching role. In the terminal using saml2aws for credentials for one hour. And Not sure how to approach?
The Java SDK for AWS supports temporary credentials obtained from the Security Token Service. They can be stored, for example, in your .aws/credentials file or as environment variables.
You can obtain temporary credentials using a long-term aws_access_key_id/aws_secret_access_key pair and the AWS CLI. For example:
My .aws/credentials file looks like this:
[long-term]
aws_access_key_id=<VALID_AWS_ACCESS_KEY_ID>
aws_secret_access_key=<VALID=_AWS_SECRET_ACCESS_KEY>
And I obtain a new set of temporary credentials by running:
$ aws sts get-session-token --profile long-term --serial-number <MFA_DEVICE_ARN> --token-code <MFA_TOKEN>
I'm trying to write a java code to authenticate the graph API by the Azure Access Control Service (ACS) using OAuth 2.0.
Based on what I've read, They are four steps to this
Generate an assertion which includes the Service Principal’s X.509 Certificate (alternatively, a symmetric key can also be used).
Present the assertion to the Azure ACS Security Token Service (STS).
ACS accepts the assertion and authenticates the Service Principal, returning a minted OAuth access token (i.e. JWT token).
Subsequent API call submissions include the access token.
Can anyone tell me, where do I begin this from? For example, where can I find the java api, how do I generate a symmetric key or an assertion with X.509 cert. I want to create an java app which will create users in the office 365 and authenticating is the initial step. Thanks for the help
I think you would need to start from here:
How to Authenticate Web Users with Windows Azure Access Control Service Using Eclipse - This example uses Windows Live ID for the identity provider, a similar technique could be used for other identity providers as applicable.
Once you have your Java based code is authenticating users successfully you can go ahead and implement further to connect with other providers.