Access Config Server and Service Registry

Note

The Basic, Standard, and Enterprise plans will be deprecated starting from mid-March, 2025, with a 3 year retirement period. We recommend transitioning to Azure Container Apps. For more information, see the Azure Spring Apps retirement announcement.

The Standard consumption and dedicated plan will be deprecated starting September 30, 2024, with a complete shutdown after six months. We recommend transitioning to Azure Container Apps. For more information, see Migrate Azure Spring Apps Standard consumption and dedicated plan to Azure Container Apps.

This article applies to: ✅ Basic/Standard ❎ Enterprise

This article explains how to access the Spring Cloud Config Server and Spring Cloud Service Registry managed by Azure Spring Apps using Microsoft Entra role-based access control (RBAC).

Note

Applications deployed and running inside the Azure Spring Apps service are automatically wired up with certificate-based authentication and authorization when accessing the managed Spring Cloud Config Server and Service Registry. You don't need to follow this guidance for these applications. The related certificates are fully managed by the Azure Spring Apps platform, and are automatically injected in your application when connected to Config Server and Service Registry.

Assign role to Microsoft Entra user/group, MSI, or service principal

Assign the role to the [user | group | service-principal | managed-identity] at [management-group | subscription | resource-group | resource] scope.

Role name Description
Azure Spring Apps Config Server Reader Allow read access to Azure Spring Apps Config Server.
Azure Spring Apps Config Server Contributor Allow read, write, and delete access to Azure Spring Apps Config Server.
Azure Spring Apps Service Registry Reader Allow read access to Azure Spring Apps Service Registry.
Azure Spring Apps Service Registry Contributor Allow read, write, and delete access to Azure Spring Apps Service Registry.

For detailed steps, see Assign Azure roles using the Azure portal.

Access Config Server and Service Registry Endpoints

After the role is assigned, the assignee can access the Spring Cloud Config Server and the Spring Cloud Service Registry endpoints using the following procedures:

  1. Get an access token. After a Microsoft Entra user is assigned the role, they can use the following commands to sign in to Azure CLI with user, service principal, or managed identity to get an access token. For details, see Authenticate Azure CLI.

    az login
    az account get-access-token
    
  2. Compose the endpoint. We support the default endpoints of the Spring Cloud Config Server and Spring Cloud Service Registry managed by Azure Spring Apps.

    • 'https://SERVICE_NAME.svc.azuremicroservices.io/eureka/{path}'
    • 'https://SERVICE_NAME.svc.azuremicroservices.io/config/{path}'

    Note

    If you're using Microsoft Azure operated by 21Vianet, replace *.azuremicroservices.io with *.microservices.azure.cn. For more information, see the section Check endpoints in Azure in the Microsoft Azure operated by 21Vianet developer guide.

  3. Access the composed endpoint with the access token. Put the access token in a header to provide authorization: --header 'Authorization: Bearer {TOKEN_FROM_PREVIOUS_STEP}'.

    For example:

    a. Access an endpoint like https://SERVICE_NAME.svc.azuremicroservices.io/config/actuator/health to see the health status of Config Server.

    b. Access an endpoint like https://SERVICE_NAME.svc.azuremicroservices.io/eureka/eureka/apps to see the registered apps in Spring Cloud Service Registry (Eureka here).

    If the response is 401 Unauthorized, check to see if the role is successfully assigned. It will take several minutes for the role to take effect or to verify that the access token has not expired.

For more information about actuator endpoint, see Production ready endpoints.

For Eureka endpoints, see Eureka-REST-operations

For config server endpoints and detailed path information, see ResourceController.java and EncryptionController.java.

Register Spring Boot apps to Spring Cloud Config Server and Service Registry managed by Azure Spring Apps

After the role is assigned, you can register Spring Boot apps to Spring Cloud Config Server and Service Registry managed by Azure Spring Apps with Microsoft Entra token authentication. Both Config Server and Service Registry support custom REST template to inject the bearer token for authentication.

For more information, see the samples Access Azure Spring Apps managed Config Server and Access Azure Spring Apps managed Service Registry. The following sections explain some important details in these samples.

In AccessTokenManager.java:

AccessTokenManager is responsible for getting an access token from Microsoft Entra ID. Configure the service principal's sign-in information in the application.properties file and initialize ApplicationTokenCredentials to get the token. You can find this file in both samples.

prop.load(in);
tokenClientId = prop.getProperty("access.token.clientId");
String tenantId = prop.getProperty("access.token.tenantId");
String secret = prop.getProperty("access.token.secret");
String clientId = prop.getProperty("access.token.clientId");
credentials = new ApplicationTokenCredentials(
    clientId, tenantId, secret, AzureEnvironment.AZURE);

In CustomConfigServiceBootstrapConfiguration.java:

CustomConfigServiceBootstrapConfiguration implements the custom REST template for Config Server and injects the token from Microsoft Entra ID as Authorization headers. You can find this file in the Config Server sample.

public class RequestResponseHandlerInterceptor implements ClientHttpRequestInterceptor {

    @Override
    public ClientHttpResponse intercept(HttpRequest request, byte[] body, ClientHttpRequestExecution execution) throws IOException {
        String accessToken = AccessTokenManager.getToken();
        request.getHeaders().remove(AUTHORIZATION);
        request.getHeaders().add(AUTHORIZATION, "Bearer " + accessToken);

        ClientHttpResponse response = execution.execute(request, body);
        return response;
    }

}

In CustomRestTemplateTransportClientFactories.java:

The previous two classes are for the implementation of the custom REST template for Spring Cloud Service Registry. The intercept part is the same as in the Config Server above. Be sure to add factory.mappingJacksonHttpMessageConverter() to the message converters. You can find this file in the Spring Cloud Service Registry sample.

private RestTemplate customRestTemplate() {
    /*
     * Inject your custom rest template
     */
    RestTemplate restTemplate = new RestTemplate();
    restTemplate.getInterceptors()
        .add(new RequestResponseHandlerInterceptor());
    RestTemplateTransportClientFactory factory = new RestTemplateTransportClientFactory();

    restTemplate.getMessageConverters().add(0, factory.mappingJacksonHttpMessageConverter());

    return restTemplate;
}

If you're running applications on a Kubernetes cluster, we recommend that you use an IP address to register Spring Cloud Service Registry for access.

eureka.instance.prefer-ip-address=true

Next steps