chore: use KEYVAULT_URL instead of KEYVAULT_NAME in quick start and tests

.pipelines/nightly.yaml

@@ -70,7 +70,7 @@ jobs:
       # contains the following environment variables:
       # - APPLICATION_CLIENT_ID
       # - AZURE_TENANT_ID
-      # - KEYVAULT_NAME
+      # - KEYVAULT_URL
       # - KEYVAULT_SECRET_NAME
       - group: e2e-environment-variables
       - name: REGISTRY
@@ -99,7 +99,7 @@ jobs:
         env:
           APPLICATION_CLIENT_ID: $(APPLICATION_CLIENT_ID)
           AZURE_TENANT_ID: $(AZURE_TENANT_ID)
-          KEYVAULT_NAME: $(KEYVAULT_NAME)
+          KEYVAULT_URL: $(KEYVAULT_URL)
           KEYVAULT_SECRET_NAME: $(KEYVAULT_SECRET_NAME)
       - template: templates/publish-logs.yaml
   - template: templates/upgrade.yaml
@@ -131,7 +131,7 @@ jobs:
       # contains the following environment variables:
       # - APPLICATION_CLIENT_ID
       # - AZURE_TENANT_ID
-      # - KEYVAULT_NAME
+      # - KEYVAULT_URL
       # - KEYVAULT_SECRET_NAME
       # - SERVICE_ACCOUNT_ISSUER
       # - SERVICE_ACCOUNT_KEYVAULT_NAME
@@ -154,7 +154,7 @@ jobs:
         env:
           APPLICATION_CLIENT_ID: $(APPLICATION_CLIENT_ID)
           AZURE_TENANT_ID: $(AZURE_TENANT_ID)
-          KEYVAULT_NAME: $(KEYVAULT_NAME)
+          KEYVAULT_URL: $(KEYVAULT_URL)
           KEYVAULT_SECRET_NAME: $(KEYVAULT_SECRET_NAME)
           SERVICE_ACCOUNT_ISSUER: $(SERVICE_ACCOUNT_ISSUER)
           SERVICE_ACCOUNT_KEYVAULT_NAME: $(SERVICE_ACCOUNT_KEYVAULT_NAME)

.pipelines/pr.yaml

@@ -68,7 +68,7 @@ jobs:
       # contains the following environment variables:
       # - APPLICATION_CLIENT_ID
       # - AZURE_TENANT_ID
-      # - KEYVAULT_NAME
+      # - KEYVAULT_URL
       # - KEYVAULT_SECRET_NAME
       # - SERVICE_ACCOUNT_ISSUER
       # - SERVICE_ACCOUNT_KEYVAULT_NAME
@@ -112,7 +112,7 @@ jobs:
         env:
           APPLICATION_CLIENT_ID: $(APPLICATION_CLIENT_ID)
           AZURE_TENANT_ID: $(AZURE_TENANT_ID)
-          KEYVAULT_NAME: $(KEYVAULT_NAME)
+          KEYVAULT_URL: $(KEYVAULT_URL)
           KEYVAULT_SECRET_NAME: $(KEYVAULT_SECRET_NAME)
           SERVICE_ACCOUNT_ISSUER: $(SERVICE_ACCOUNT_ISSUER)
           SERVICE_ACCOUNT_KEYVAULT_NAME: $(SERVICE_ACCOUNT_KEYVAULT_NAME)

.pipelines/templates/upgrade.yaml

@@ -14,7 +14,7 @@ jobs:
       # contains the following environment variables:
       # - APPLICATION_CLIENT_ID
       # - AZURE_TENANT_ID
-      # - KEYVAULT_NAME
+      # - KEYVAULT_URL
       # - KEYVAULT_SECRET_NAME
       - group: e2e-environment-variables
       - name: REGISTRY
@@ -30,7 +30,7 @@ jobs:
           SKIP_CLEANUP: "true"
           APPLICATION_CLIENT_ID: $(APPLICATION_CLIENT_ID)
           AZURE_TENANT_ID: $(AZURE_TENANT_ID)
-          KEYVAULT_NAME: $(KEYVAULT_NAME)
+          KEYVAULT_URL: $(KEYVAULT_URL)
           KEYVAULT_SECRET_NAME: $(KEYVAULT_SECRET_NAME)
       - script: |
           # xref: https://github.com/Azure/secrets-store-csi-driver-provider-azure/blob/512316adc9daa2216de10a6288f6c1df8a122654/.pipelines/templates/aks-upgrade.yaml#L3-L8
@@ -58,7 +58,7 @@ jobs:
         env:
           APPLICATION_CLIENT_ID: $(APPLICATION_CLIENT_ID)
           AZURE_TENANT_ID: $(AZURE_TENANT_ID)
-          KEYVAULT_NAME: $(KEYVAULT_NAME)
+          KEYVAULT_URL: $(KEYVAULT_URL)
           KEYVAULT_SECRET_NAME: $(KEYVAULT_SECRET_NAME)
       - script: az group delete --name "${CLUSTER_NAME}" --yes --no-wait || true
         displayName: Cleanup

docs/book/src/quick-start.md

@@ -281,8 +281,6 @@ spec:
     - image: ghcr.io/azure/azure-workload-identity/msal-go
       name: oidc
       env:
-      - name: KEYVAULT_NAME
-        value: ${KEYVAULT_NAME}
       - name: KEYVAULT_URL
         value: ${KEYVAULT_URL}
       - name: SECRET_NAME
@@ -349,7 +347,7 @@ Containers:
     Ready:          True
     Restart Count:  0
     Environment:
-      KEYVAULT_NAME:              ${KEYVAULT_NAME}
+      KEYVAULT_URL:               ${KEYVAULT_URL}
       SECRET_NAME:                ${KEYVAULT_SECRET_NAME}
       AZURE_AUTHORITY_HOST:       (Injected by the webhook)
       AZURE_CLIENT_ID:            (Injected by the webhook)

examples/msal-go/main.go

@@ -2,7 +2,6 @@ package main
 
 import (
 	"context"
-	"fmt"
 	"os"
 	"time"
 
@@ -13,12 +12,13 @@ import (
 
 func main() {
 	keyvaultURL := os.Getenv("KEYVAULT_URL")
-        if keyvaultURL == "" {
-                keyvaultName := os.Getenv("KEYVAULT_NAME")
-		// fallback to use global cloud
-                keyvaultURL = fmt.Sprintf("https://%s.vault.azure.net/", keyvaultName)
-        }
-        secretName := os.Getenv("SECRET_NAME")
+	if keyvaultURL == "" {
+		klog.Fatal("KEYVAULT_URL environment variable is not set")
+	}
+	secretName := os.Getenv("SECRET_NAME")
+	if secretName == "" {
+		klog.Fatal("SECRET_NAME environment variable is not set")
+	}
 
 	// initialize keyvault client with custom authorizer
 	kvClient := keyvault.New()

examples/msal-java/src/main/java/com/example/msal/java/App.java

@@ -9,11 +9,19 @@
 public class App {
     public static void main(String[] args) {
         Map<String, String> env = System.getenv();
-        String keyvaultName = env.get("KEYVAULT_NAME");
+        String keyvaultURL = env.get("KEYVAULT_URL");
+        if (keyvaultURL == null) {
+            System.out.println("KEYVAULT_URL environment variable not set");
+            return;
+        }
         String secretName = env.get("SECRET_NAME");
+        if (secretName == null) {
+            System.out.println("SECRET_NAME environment variable not set");
+            return;
+        }
 
         SecretClient secretClient = new SecretClientBuilder()
-                .vaultUrl(String.format("https://%s.vault.azure.net", keyvaultName))
+                .vaultUrl(keyvaultURL)
                 .credential(new CustomTokenCredential())
                 .buildClient();
         KeyVaultSecret secret = secretClient.getSecret(secretName);

examples/msal-net/akvdotnet/Program.cs

@@ -13,11 +13,15 @@ static void Main(string[] args)
             Program P = new Program();
             string keyvaultURL = Environment.GetEnvironmentVariable("KEYVAULT_URL");
             if (string.IsNullOrEmpty(keyvaultURL)) {
-                string keyvaultName = Environment.GetEnvironmentVariable("KEYVAULT_NAME");
-                keyvaultURL = "https://" + keyvaultName + ".vault.azure.net/";
+                Console.WriteLine("KEYVAULT_URL environment variable not set");
+                return;
             }
 
             string secretName = Environment.GetEnvironmentVariable("SECRET_NAME");
+            if (string.IsNullOrEmpty(secretName)) {
+                Console.WriteLine("SECRET_NAME environment variable not set");
+                return;
+            }
 
             SecretClient client = new SecretClient(
                 new Uri(keyvaultURL),

examples/msal-node/index.js

@@ -40,10 +40,18 @@ const main = async () => {
     // create a token credential object, which has a getToken method that returns a token
     const tokenCredential = new MyClientAssertionCredential()
 
+    const keyvaultURL = process.env.KEYVAULT_URL
+    if (!keyvaultURL) {
+        throw new Error("KEYVAULT_URL environment variable not set")
+    }
+    const secretName = process.env.SECRET_NAME
+    if (!secretName) {
+        throw new Error("SECRET_NAME environment variable not set")
+    }
+
     // create a secret client with the token credential
-    const url = `https://${process.env.KEYVAULT_NAME}.vault.azure.net`
-    const keyvault = new SecretClient(url, tokenCredential)
-    const secret = await keyvault.getSecret(process.env.SECRET_NAME).catch(error => console.log(error))
+    const keyvault = new SecretClient(keyvaultURL, tokenCredential)
+    const secret = await keyvault.getSecret(secretName).catch(error => console.log(error))
     console.log(`successfully got secret, secret=${secret.value}`)
 }
 

examples/msal-python/main.py

@@ -16,9 +16,10 @@ def main():
 
     keyvault_url = os.getenv('KEYVAULT_URL', '')
     if not keyvault_url:
-        keyvault_name = os.getenv('KEYVAULT_NAME', '')
-        keyvault_url='https://{}.vault.azure.net'.format(keyvault_name)
+        raise Exception('KEYVAULT_URL environment variable is not set')
     secret_name = os.getenv('SECRET_NAME', '')
+    if not secret_name:
+        raise Exception('SECRET_NAME environment variable is not set')
 
     # create a secret client with the token credential
     keyvault = SecretClient(vault_url=keyvault_url, credential=token_credential)

test/e2e/token_exchange.go

@@ -29,8 +29,8 @@ var _ = ginkgo.Describe("TokenExchange [AKSSoakOnly] [Exclude:Arc]", func() {
 	ginkgo.It("should exchange the service account token for a valid AAD token", func() {
 		clientID, ok := os.LookupEnv("APPLICATION_CLIENT_ID")
 		gomega.Expect(ok).To(gomega.BeTrue(), "APPLICATION_CLIENT_ID must be set")
-		keyvaultName, ok := os.LookupEnv("KEYVAULT_NAME")
-		gomega.Expect(ok).To(gomega.BeTrue(), "KEYVAULT_NAME must be set")
+		keyvaultURL, ok := os.LookupEnv("KEYVAULT_URL")
+		gomega.Expect(ok).To(gomega.BeTrue(), "KEYVAULT_URL must be set")
 		keyvaultSecretName, ok := os.LookupEnv("KEYVAULT_SECRET_NAME")
 		gomega.Expect(ok).To(gomega.BeTrue(), "KEYVAULT_SECRET_NAME must be set")
 
@@ -47,8 +47,8 @@ var _ = ginkgo.Describe("TokenExchange [AKSSoakOnly] [Exclude:Arc]", func() {
 			nil,
 			nil,
 			[]corev1.EnvVar{{
-				Name:  "KEYVAULT_NAME",
-				Value: keyvaultName,
+				Name:  "KEYVAULT_URL",
+				Value: keyvaultURL,
 			}, {
 				Name:  "SECRET_NAME",
 				Value: keyvaultSecretName,