Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Backport of VAULT-14644 Add support for Azure WIF auth to auto-auth (for Agent and Proxy) into release/1.14.x #22274

Merged
merged 1 commit into from
Aug 10, 2023
Merged

Backport of VAULT-14644 Add support for Azure WIF auth to auto-auth (for Agent and Proxy) into release/1.14.x #22274

merged 1 commit into from
Aug 10, 2023

Conversation

hc-github-team-secure-vault-core
Copy link
Collaborator

Backport

This PR is auto-generated from #22264 to be assessed for backporting due to the inclusion of the label backport/1.14.x.

The below text is copied from the body of the original PR.

This, together with the plugin changes included in the go.mod, should enable Vault Agent and Proxy to use Azure Workload Identity Federation for authentication.

I used the following for a successful WIF login:

    auto_auth {
      method {
        type      = "azure"
        config = {
          authenticate_from_environment = true
          role = "dev-role"
          resource = "https://management.azure.com/"
        }
      }
    }

Tested in our legacy Azure tenant with Vault and Agent running in K8S, with WIF enabled, e.g.:

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: vault-agent
  labels:
    azure.workload.identity/use: "true"
spec:
  serviceAccountName: vault-agent-service-account
  containers:
  - name: vault-agent
    image:  violethyneshashicorp/vault:aks14
    args:
    - agent
    - -config=/etc/config/agent-config.hcl
    volumeMounts:
    - name: config-volume
      mountPath: /etc/config
  volumes:
    - name: config-volume
      configMap:
        name: agent-config
EOF

I couldn't see a good way to test these changes, as it essentially entirely relies on Azure APIs. We don't have any right now, either, likely for similar reasons. I'm open to suggestions, but I worry it might get mock-crazy.

Overview of commits

@hc-github-team-secure-vault-core hc-github-team-secure-vault-core force-pushed the backport/violethynes/VAULT-14644/visually-expert-anteater branch 2 times, most recently from 97cbd0d to 022f91d Compare August 10, 2023 14:28
@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Aug 10, 2023
@VioletHynes VioletHynes enabled auto-merge (squash) August 10, 2023 14:29
@github-actions
Copy link

Build Results:
All builds succeeded! ✅

@github-actions
Copy link

CI Results:
All Go tests succeeded! ✅

@VioletHynes VioletHynes merged commit 486f7d0 into release/1.14.x Aug 10, 2023
@VioletHynes VioletHynes deleted the backport/violethynes/VAULT-14644/visually-expert-anteater branch August 10, 2023 14:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@VioletHynes VioletHynes VioletHynes approved these changes

Assignees
No one assigned
Labels
hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@hc-github-team-secure-vault-core @VioletHynes