Retrieval of secrets in Azure App Service from Hashicorp Vault using Managed Identity | Missing Role - Error

Hashicorp Vault is the native product of our organization and is a widely used and recommended approach for storing all the key-value pairs or any secrets. Any applications that are deployed on Azure too must store/retrieve the token from Hashicorp Vault and not from the Azure Key Vault. I provided this information just to add a bit of background to the requirement.

Now coming to the actual problem, I deployed the dotnet application on Azure App Service, enable the system-managed identity, and was able to successfully retrieve the JWT token.

As per the flow which I understood by reading the documentation, it says, first retrieve the application token deployed on Azure having System Managed Identity enabled. Once this is done, pass this token for validation to Vault which gets it validated using OIDC from AAD. On successful validation, I will be given back the Vault token which can be used to fetch the secrets from Vault.

To perform these steps configuration is required at the Vault side, for which, I performed all the below steps on the vault server installed on my windows local machine:-

Command line operation

  1. Start the Vault server

  2. Open the other command prompt and set the environment variables
    set VAULT_ADDR=http://127.0.0.1:8200
    set VAULT_TOKEN=s.iDdVbLKPCzmqF2z0RiXPMxLk

  3. vault auth enable jwt

  4. vault write auth/jwt/config
    oidc_discovery_url=https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/
    bound_issuer=https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/

  5. vault read auth/jwt/config

  1. create a role (webapp-role) by using the command

curl --header “X-Vault-Token: %VAULT_TOKEN%” --insecure --request POST --data @C:\Users\48013\source\repos\HashVaultAzure\Vault-files\payload.json %VAULT_ADDR%/v1/auth/jwt/role/webapp-role

–payload.json

{
  "bound_audiences": "https://management.azure.com/",
  "bound_claims": {
    "idp": "https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/",
     "oid": "8d2b99fb-f4f4-4afb-9ee3-276891f40a65",
     "tid": "4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/"
   },
   "bound_subject": "8d2b99fb-f4f4-4afb-9ee3-276891f40a65",
   "claim_mappings": {
     "appid": "application_id",
     "xms_mirid": "resource_id"
   },
   "policies": ["sqlconnection"],
   "role_type": "jwt",
   "token_bound_cidrs": ["10.0.0.0/16"],
   "token_max_ttl": "24h",
   "user_claim": "sub"
 }

Policy associated with the sqlconnection:-
image

Vault read auth/jwt/role/webapp-role

  1. Run the command below with the JWT token retrieved from the application (having the managed identity enabled) deployed on Azure AAD and pass it as “your_jwt”. This command should return the vault token as shown in the link JWT/OIDC - Auth Methods | Vault by HashiCorp

curl --request POST --data ‘{“jwt”: “your_jwt”, “role”: “webapp-role”}’ http://127.0.0.1:8200/v1/auth/jwt/login

At this point I receive an error – “Missing Role”,

I am stuck here and not able to find any solution.

The expected response should be like with the client token/Vault token:-

JWT Token decoded information

 {
  "aud": "https://management.azure.com",
  "iss": "https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/",
  "iat": 1631172032,
  "nbf": 1631172032,
  "exp": 1631258732,
  "aio": "E2ZgYNBN4JVfle92Tsl1b8m8pc9jAA==",
  "appid": "cf5c734c-a4fd-4d85-8049-53de46db4ec0",
  "appidacr": "2",
  "idp": "https://sts.windows.net/4a95f16f-35ba-4a52-9cb3-7f300cdc0c60/",
  "oid": "8d2b99fb-f4f4-4afb-9ee3-276891f40a65",
  "rh": "0.AVMAb_GVSro1Ukqcs38wDNwMYExzXM_9pIVNgElT3kbbTsBTAAA.",
  "sub": "8d2b99fb-f4f4-4afb-9ee3-276891f40a65",
  "tid": "4a95f16f-35ba-4a52-9cb3-7f300cdc0c60",
  "uti": "LDjkUZdlKUS4paEleUUFAA",
  "ver": "1.0",
  "xms_mirid": "/subscriptions/0edeaa4a-d371-4fa8-acbd-3675861b0ac8/resourcegroups/AzureAADResource/providers/Microsoft.Web/sites/hashvault-test",
  "xms_tcdt": "1600006540"
}

The issue was with the missing configuration both at the Azure Cloud and Vault side.
These were the addition steps done further to make it work.

Create an Azure SPN

az ad sp create-for-rbac --name “Hashicorp Vault Prod AzureSPN”
–skip-assignment Assign as Reader on subscription

Create Vault config

vault auth enable azure vault write auth/jwt/config
tenant_id=lg240e12-76g1-748b-cd9c-je6f29562476
resource=https://management.azure.com/ client_id=34906a49-
9a8f-462b-9d68-33ae40hgf8ug client_secret=123456ABCDEF