This is an example for Lowkey Vault. It demonstrates a basic scenario where a key is used for encrypt/decrypt operations and database connection specific credentials as well as getting a PKCS12 store with a certificate and matching private key inside.
- Key "repository"
- Secret "repository"
- Certificate "repository"
- Empty credentials for connecting to Lowkey Vault (not needed if Assumed Identity is used)
- Tests
- TestRepository is using NoopCredential for authentication to demonstrate integration with
- Secrets
- Keys
- Certificates
- TestRepositoryWithManagedIdentity is performing exactly the same but, it is using the DefaultAzureCredential with Assumed Identity
- TestRepository is using NoopCredential for authentication to demonstrate integration with
- Start Lowkey Vault and Assumed Identity
- Set
REQUESTS_CA_BUNDLEenvironment variable to reference lowkeyvault.pem - If you are not using the default
169.254.169.254:80address for Assumed Identity (because for example you are running it in the cloud)- Set
AZURE_POD_IDENTITY_AUTHORITY_HOSTenvironment variable to point to the Assumed Identity base URL e.g., http://localhost:8080 - Set
IMDS_ENDPOINTenvironment variable to point to the Assumed Identity base URL e.g., http://localhost:8080 - Set
IDENTITY_ENDPOINTenvironment variable to point to the/metadata/identity/oauth2/tokenpath of Assumed Identity e.g., http://localhost:8080/metadata/identity/oauth2/token - Create an empty file named
/var/opt/azcmagent/tokens/assumed-identity.keyto let the client think that you are using Azure Arc for Managed Identity
- Set
- Run the tests
Note
In order to better understand what is needed in general to make similar examples work, please find a generic overview here.
Tip
Since v2.4.2, Lowkey Vault is providing the same token endpoint on the 8080 port by default. Therefore, you don't need to start another container.
Note
To be able to use Azure Identity 1.18.0+ you must use Lowkey Vault 2.5.0+ as earlier versions don't provide the necessary headers in the token response.