Workload identity does not work with KeyVault JCA

[wddwagner]

I tested the Keyvault JCA and noted that it uses the Azure IMDS endpoint to retrieve an access token. I tested the endpoint directly using a workload identity on the pod and noted that workload identities do not work with the IMDS endpoint. Pod identities on the other hand do. The open source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service has been deprecated as of 10/24/2022. Release 2024-08-27 of AKS introduces a breaking change with the removal of pod identities. Hence its imperitive for Keyvault JCA to add support for workload identities.

Steps to replicate:

1. Create a pod with a workload identity
2. Attempt to use the Keyvault JCA and observe the error Failed to load keystore type [DKS] with path [] due to [DKS not found]. This occurs due to the JCA not being able to retrieve an access token from the IMDS endpoint
   Caused by: java.lang.NullPointerException
   at com.azure.security.keyvault.jca.implementation.KeyVaultClient.getAccessToken(KeyVaultClient.java:196)

[github-actions]

@billwert @g2vinay

[github-actions]

Thank you for your feedback. Tagging and routing to the team member best able to assist.

[billwert]

Hello @wddwagner!

Thanks for the report. @vcolin7 @g2vinay Can y'all opine if this is something we should tackle first from the Identity perspective or the KV perspective?