Autowiring KeyClient with Spring Cloud Azure

Question

I have set up a Spring Cloud Azure application. I use both secrets and keys in my Azure Keyvault. I started with integrating secrets and followed https://spring.io/projects/spring-cloud-azure, which allows me to autowire a Secret Client with only the following in my application configuration properties yaml

spring:
  cloud:
    azure:
      keyvault:
        secret:
          endpoint:

I got it set up and working pretty smoothly.

Then I moved on to KeyClient, thinking that I could reuse some of this setup, but I couldn't find something similar even in the source code

Does that mean I still have to include all the other config props like client id, client secret, etc? it seems that I will end up having to implement everything under "Without Spring Cloud Azure" AND everything under "With Spring Cloud Azure", when I could just do the former which is necessary for KeyClient anyway. Please correct me if I'm wrong. Thanks!

Answer 1

I tried the following Spring Boot code using KeyClient to retrieve the key from the Azure Key Vault.

Code :

KeyVaultKeyServices :

import com.azure.identity.DefaultAzureCredentialBuilder;
import com.azure.security.keyvault.keys.KeyClient;
import com.azure.security.keyvault.keys.KeyClientBuilder;
import com.azure.security.keyvault.keys.models.JsonWebKey;
import com.azure.security.keyvault.keys.models.KeyVaultKey;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.stereotype.Service;

@Service
public class KeyVaultKeyServices {

    @Value("${azure.keyvault.uri}")
    private String keyVaultUri;

    @Value("${azure.keyvault.key.name}")
    private String keyName;

    public String getKey() {
        DefaultAzureCredentialBuilder credentialBuilder = new DefaultAzureCredentialBuilder();
        KeyClient keyClient = new KeyClientBuilder()
                .vaultUrl(keyVaultUri)
                .credential(credentialBuilder.build())
                .buildClient();

        try {
            KeyVaultKey keyVaultKey = keyClient.getKey(keyName);
            JsonWebKey jsonWebKey = keyVaultKey.getKey();

            return jsonWebKey.toString();
        } catch (Exception e) {
            return "Error retrieving key: " + e.getMessage();
        }
    }
}

KeyController :

import com.example.demo.service.KeyVaultKeyServices;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.web.bind.annotation.GetMapping;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RestController;

@RestController
@RequestMapping("/api")
public class KeyController {

    private final KeyVaultKeyServices keyVaultKeyServices;

    @Autowired
    public KeyController(KeyVaultKeyServices keyVaultKeyServices) {
        this.keyVaultKeyServices = keyVaultKeyServices;
    }

    @GetMapping("/key")
    public String getKey() {
        return keyVaultKeyServices.getKey();
    }
}

application.yml :

azure:
  keyvault:
    uri: https://<keyvault_name>.vault.azure.net/
    key:
      name: <key_name>

I granted the necessary permissions to read the key from the Azure Key Vault as follows:

Output :

The Spring Boot project ran successfully, as shown below:

I retrieved the key from the Azure Key Vault in the browser, as below.

http://localhost:8080/api/key