Add support for azure workload identity authentication #155
Conversation
|
|
|
Happy to test this if it helps. Came to this repo looking to see if it was possible to auth boundary using workload identity. |
|
@jimlambrt Any update on this? Can we help somehow to move this forward? |
|
Ty for the reminder. Now that Boundary v0.13.0, we should be able to find a resource to test this. I'll be back with an update on when that might happen. |
|
@jimlambrt Do you have an update on that resource or timeline? Is there anything we can help with? |
|
Good afternoon! Yes, we've started to make some progress allocating a resource and building some sort of automated tests. Updates in the next week or so 🤞 |
| config := auth.NewMSIConfig() | ||
| config.Resource = strings.TrimSuffix(v.resource, "/") | ||
| if v.clientID != "" { | ||
| config.ClientID = v.clientID | ||
| } | ||
| authorizer, err = config.Authorizer() | ||
| cred, err = azidentity.NewDefaultAzureCredential(nil) |
There was a problem hiding this comment.
Hi @cldmstr - can I suggest you check that this doesn't introduce a regression for this fix? #97
There were no tests added for it so it's quite possible it would.
It's possible for multiple managed service identities to exist, and in that situation when autorest/adal queried IMDS it would receive an error back if the client ID was not provided. I'm assuming that azure-sdk-for-go behaves similarly?
There was a problem hiding this comment.
Thanks for the review @jtv8 . I can confirm that the behavior in azure-sdk-for-go is the same as the fix and does not introduce a regression. Internally, the call does almost exactly what the fix does.
Use the Azure Workload Identity federated identity magic when it is available to authenticate against Azure keyvault. This allows vault to run in an AKS cluster with service accounts federated to service principals or managed identites. This also requires the azure libraries to be migrated to the newest version as the autorest libraries are being depricated.
|
We've been able to successfully validate/test this change! @cldmstr can you resolve the conflicts so we can get it merged? |
cldmstr
force-pushed
the
support-azure-workload-identity-authentication
branch
from
60a01ca to
07c6997
Compare
|
Thanks a lot. There was one relevant change to the method I was working on that cropped up during the rebase. I did my best to add the fix to |
ibauersachs
deleted the
support-azure-workload-identity-authentication
branch
Use the Azure Workload Identity federated identity when it is available to authenticate against Azure keyvault. This allows vault to run in an AKS cluster with service accounts federated to service principals or managed identities.
The PR uses the default credential reader, which covers all the Azure login credentials: MSI, Azure CLI or Federated Identity.
This change also updates the Azure client libraries to use the azure-sdk-for-go implementation as the autorest libraries are being depricated at the end of March 2023.