Fixes required for use with multiple Cloud Environments #854
Conversation
… is a requirement when used with alternative azure cloud environments. fix(akv_url): Fixed AKV Resource URL, this is required as different azure cloud environments.
Fred-sun
added
medium_priority
fix(line_length): split track2 client_kwargs to 2 lines to keep below the 160 character limit
|
Hoping to get this in soon, as this is useful to my team as well |
|
Agree with @rmawhinnie - our team needs this soon too. Looking forward to this merge! |
|
Hoping to get this merged soon as well. |
|
it will be very much helpful if get merged sooner. |
| @@ -891,12 +891,13 @@ def get_mgmt_svc_client(self, client_type, base_url=None, api_version=None, supp | |||
| # Some management clients do not take a subscription ID as parameters. | |||
| if suppress_subscription_id: | |||
| if is_track2: | |||
| client_kwargs = dict(credential=self.azure_auth.azure_credential_track2, base_url=base_url) | |||
| client_kwargs = dict(credential=self.azure_auth.azure_credential_track2, base_url=base_url, credential_scopes=[base_url + ".default"]) | |||
There was a problem hiding this comment.
I'm sorry for replying to you so late. Could you please tell me the function of this parameter(credential_scopes) ? Because I didn't apply this parameter in the Track2 SDK. Thank you very much!
There was a problem hiding this comment.
Hey @Fred-sun,
It essentially sets the management endpoints the generated auth token is for, if this is not set, it defaults to the AzurePublicCloud url, and you get the bellow error when talking to any of the other azure clouds.
Message: The access token has been obtained for wrong audience or resource 'https://management.azure.com'. It should exactly match with one of the allowed audiences 'https://management.core.usgovcloudapi.net/','https://management.core.usgovcloudapi.net','https://management.usgovcloudapi.net/','https://management.usgovcloudapi.net'.
this error was discussed here:
Azure/azure-sdk-for-python#24440
There was a problem hiding this comment.
@Fred-sun, do you need any more information on this? We are finding we are jumping threw a lot of hoops to get these fixes inside our AWX, EE and Operator-SDK environments.
Fred-sun
added
ready_for_review
|
@dougalII I will move forward with the merger as soon as possible. Thank you very much! |
|
@dougalII LGTM |
SUMMARY
Fixes credential_scopes for track2 authentication when connecting to non "Azure Public" cloud environments
Fixes for AKV to correct resource url for non "Azure Public" cloud environments
fixes: #331 #836 #702
ISSUE TYPE
COMPONENT NAME
ADDITIONAL INFORMATION
These changes allow you to use other cloud platforms in azure.
The track2 fixes are related to an azure-sdk issue i created: here it uses poorly documented keyword credential_scopes to tell the SDK which environment the token request is for.
The AKV Changes are to remove the hard coded
resource="https://vault.azure.net"as each cloud environment has its own resource url for AKV.