Skip to content

Support using MSI to fetch Key Vault access tokens#5249

Merged
shahabhijeet merged 1 commit intoAzure:masterfrom
nickstenning:support-msi-for-keyvault-auth
Feb 16, 2019
Merged

Support using MSI to fetch Key Vault access tokens#5249
shahabhijeet merged 1 commit intoAzure:masterfrom
nickstenning:support-msi-for-keyvault-auth

Conversation

@nickstenning
Copy link
Contributor

@nickstenning nickstenning commented Feb 14, 2019

Description

In situations requiring cross-tenant auth, it is currently not possible to use MSI to fetch an access token directly. In these scenarios, it would be helpful to be able to use a client certificate grant, but with the certificate stored in (and retrieved from) Key Vault.

Currently, this workflow is supported, but only for "development-like" environments (i.e. through the Visual Studio or Azure CLI token flows). This commit makes it possible for a service to use its managed identity to retrieve a Key Vault access token for client certificate grants.

I'm very happy to take any and all feedback on this PR, for example I'm not sure if I need to update release notes/versions/etc. with this change. Please let me know!

This checklist is used to make sure that common guidelines for a pull request are followed.

  • Please add REST spec PR link to the SDK PR [Not applicable?]
  • I have read the contribution guidelines.
  • The pull request does not introduce breaking changes. [I do not believe this is a breaking change, as the KeyVaultClient will fall through to the remaining token providers in non-MSI environments.]

General Guidelines

  • Title of the pull request is clear and informative.
  • There are a small number of commits, each of which have an informative message. This means that previously merged commits do not appear in the history of the PR. For more information on cleaning up the commits in your PR, see this page.

Testing Guidelines

  • Pull request includes test coverage for the included changes. [The change is not currently tested, but neither is the existing list of token providers for KeyVaultClient. I'm happy to take advice on how this could be tested!]

SDK Generation Guidelines

[Removed as not applicable.]

@nickstenning
Support using MSI to fetch Key Vault access tokens
64adb3f 
In situations requiring cross-tenant auth, it is currently not possible
to use MSI to fetch an access token directly. In these scenarios, it
would be helpful to be able to use a client certificate grant, but with
the certificate stored in Key Vault.

Currently, this workflow is supported, but only for "development-like"
environments (i.e. through the Visual Studio or Azure CLI token flows).
This commit makes it possible for a service to use its managed identity
to retrieve a Key Vault access token for client certificate grants.
@nickstenning
Copy link
Contributor Author

nickstenning commented Feb 14, 2019

Looks like @nonik0 may have thoughts on this change as the last (only?) person to change this file.

@dsgouda
Copy link
Contributor

dsgouda commented Feb 14, 2019

@schaabs do you know someone who could review this change?

@shahabhijeet
Copy link
Contributor

shahabhijeet commented Feb 15, 2019

@varunsh-msft will need to sign off on this PR

@nonik0
Copy link
Contributor

nonik0 commented Feb 16, 2019

Thanks for bring this to our attention, @varunsh-msft and I will sync offline soon regarding this change.

@shahabhijeet shahabhijeet merged commit 61f82ba into Azure:master Feb 16, 2019
mentat9 pushed a commit to mentat9/azure-sdk-for-net that referenced this pull request Jun 10, 2019
@nickstenning @mentat9
Support using MSI to fetch Key Vault access tokens (Azure#5249)
b7bea8f 
In situations requiring cross-tenant auth, it is currently not possible
to use MSI to fetch an access token directly. In these scenarios, it
would be helpful to be able to use a client certificate grant, but with
the certificate stored in Key Vault.

Currently, this workflow is supported, but only for "development-like"
environments (i.e. through the Visual Studio or Azure CLI token flows).
This commit makes it possible for a service to use its managed identity
to retrieve a Key Vault access token for client certificate grants.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@shahabhijeet shahabhijeet shahabhijeet approved these changes

@varunsh-coder varunsh-coder varunsh-coder approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@nickstenning @dsgouda @shahabhijeet @nonik0 @varunsh-coder