From a9cd5e067058dedd7cf444af006a1e7823d1a2bb Mon Sep 17 00:00:00 2001 From: Daniel Rodriguez Date: Fri, 18 Jun 2021 23:22:41 +0000 Subject: [PATCH 1/3] [Identity] Add support for Bridge to Kubernetes to ManagedIdentityCredential --- sdk/identity/identity/CHANGELOG.md | 1 + .../src/credentials/managedIdentityCredential/imdsMsi.ts | 7 ++++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/sdk/identity/identity/CHANGELOG.md b/sdk/identity/identity/CHANGELOG.md index 7961335e8f85..f58e453fea7b 100644 --- a/sdk/identity/identity/CHANGELOG.md +++ b/sdk/identity/identity/CHANGELOG.md @@ -37,6 +37,7 @@ - `AuthenticationRequiredError` (introduced in 2.0.0-beta.1) now has the same impact on `ChainedTokenCredential` as the `CredentialUnavailableError` which is to allow the next credential in the chain to be tried. - `ManagedIdentityCredential` now retries with exponential back-off when a request for a token fails with a 404 status code on environments with available IMDS endpoints. - Added an `AzurePowerShellCredential` which will use the authenticated user session from the `Az.Account` PowerShell module. This credential will attempt to use PowerShell Core by calling `pwsh`, and on Windows it will fall back to Windows PowerShell (`powershell`) if PowerShell Core is not available. +- Added support to `ManagedIdentityCredential` for Bridge to Kubernetes local development authentication. ### Breaking changes from 2.0.0-beta.1 diff --git a/sdk/identity/identity/src/credentials/managedIdentityCredential/imdsMsi.ts b/sdk/identity/identity/src/credentials/managedIdentityCredential/imdsMsi.ts index f27c43d12f73..cc6d954afb49 100644 --- a/sdk/identity/identity/src/credentials/managedIdentityCredential/imdsMsi.ts +++ b/sdk/identity/identity/src/credentials/managedIdentityCredential/imdsMsi.ts @@ -44,7 +44,7 @@ function prepareRequestOptions(resource?: string, clientId?: string): RequestPre } return { - url: imdsEndpoint, + url: process.env.AZURE_POD_IDENTITY_TOKEN_URL ?? imdsEndpoint, method: "GET", queryParameters, headers: { @@ -73,6 +73,11 @@ export const imdsMsi: MSI = { getTokenOptions ); + // if the PodIdenityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist + if (process.env.AZURE_POD_IDENTITY_TOKEN_URL) { + return true; + } + const request = prepareRequestOptions(resource, clientId); // This will always be populated, but let's make TypeScript happy From cd809de7d4e99157af6a2b7f9967aeec5236d2e2 Mon Sep 17 00:00:00 2001 From: Daniel Rodriguez Date: Mon, 21 Jun 2021 21:42:05 +0000 Subject: [PATCH 2/3] one very simple test --- .../internal/node/managedIdentityCredential.spec.ts | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/sdk/identity/identity/test/internal/node/managedIdentityCredential.spec.ts b/sdk/identity/identity/test/internal/node/managedIdentityCredential.spec.ts index 4d9fdf5e5cb6..fe4883676bd0 100644 --- a/sdk/identity/identity/test/internal/node/managedIdentityCredential.spec.ts +++ b/sdk/identity/identity/test/internal/node/managedIdentityCredential.spec.ts @@ -15,7 +15,10 @@ import { import { MockAuthHttpClient, MockAuthHttpClientOptions, assertRejects } from "../../authTestUtils"; import { OAuthErrorResponse } from "../../../src/client/errors"; import Sinon from "sinon"; -import { imdsMsiRetryConfig } from "../../../src/credentials/managedIdentityCredential/imdsMsi"; +import { + imdsMsi, + imdsMsiRetryConfig +} from "../../../src/credentials/managedIdentityCredential/imdsMsi"; import { mkdtempSync, rmdirSync, unlinkSync, writeFileSync } from "fs"; import { join } from "path"; import { tmpdir } from "os"; @@ -52,6 +55,7 @@ describe("ManagedIdentityCredential", function() { process.env.MSI_SECRET = env.MSI_SECRET; process.env.IDENTITY_SERVER_THUMBPRINT = env.IDENTITY_SERVER_THUMBPRINT; process.env.IMDS_ENDPOINT = env.IMDS_ENDPOINT; + process.env.AZURE_POD_IDENTITY_TOKEN_URL = env.AZURE_POD_IDENTITY_TOKEN_URL; sandbox.restore(); clock.restore(); }); @@ -248,6 +252,12 @@ describe("ManagedIdentityCredential", function() { ); }); + it("IMDS MSI skips verification if the AZURE_POD_IDENTITY_TOKEN_URL environment variable is available", async function() { + process.env.AZURE_POD_IDENTITY_TOKEN_URL = "token URL"; + + assert.ok(await imdsMsi.isAvailable()); + }); + // Unavailable exception throws while IMDS endpoint is unavailable. This test not valid. // it("can extend timeout for IMDS endpoint", async function() { // // Mock a timeout so that the endpoint ping fails From a39ec19e0fcc90d8d8738cec906f449d3b4d8896 Mon Sep 17 00:00:00 2001 From: Daniel Rodriguez Date: Tue, 22 Jun 2021 15:11:44 +0000 Subject: [PATCH 3/3] forgot this line --- .../test/internal/node/managedIdentityCredential.spec.ts | 1 + 1 file changed, 1 insertion(+) diff --git a/sdk/identity/identity/test/internal/node/managedIdentityCredential.spec.ts b/sdk/identity/identity/test/internal/node/managedIdentityCredential.spec.ts index fe4883676bd0..d52009887a60 100644 --- a/sdk/identity/identity/test/internal/node/managedIdentityCredential.spec.ts +++ b/sdk/identity/identity/test/internal/node/managedIdentityCredential.spec.ts @@ -41,6 +41,7 @@ describe("ManagedIdentityCredential", function() { delete process.env.MSI_SECRET; delete process.env.IDENTITY_SERVER_THUMBPRINT; delete process.env.IMDS_ENDPOINT; + delete process.env.AZURE_POD_IDENTITY_TOKEN_URL; sandbox = Sinon.createSandbox(); clock = sandbox.useFakeTimers({ now: Date.now(),