Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support Azure Managed Identities for download blob #1594

Closed
zhoufenqin opened this issue Apr 9, 2024 · 6 comments
Closed

Support Azure Managed Identities for download blob #1594

zhoufenqin opened this issue Apr 9, 2024 · 6 comments
Assignees

Comments

@zhoufenqin
Copy link

zhoufenqin commented Apr 9, 2024

Similar to #1503 feature request.

When using Azure storage account file share to store source code, we should use blob url with sas token, Currently, kpack doesn't support fetch blob with keychains, it should be supported.

See the reference about Azure Files identity-based authentication options for SMB access

@chenbh chenbh self-assigned this May 6, 2024
@chenbh
Copy link
Contributor

chenbh commented May 13, 2024

Talked to @zhoufenqin on another forum, the main thing asked here is the ability to use workload identity (i.e. service account identity) to access Iaas specific blob stores. What we came up with is an additional field to the source configuration

source:
  blob:
    url: "blah.blob.azure.com/1234"
    auth: "" | "helper" | "secret"
  • "" means no auth performed
  • secret will do the stuff in Download Blob with Basic Auth Secret #1503
  • helper will delegate to IaaS specific SDKs to get an oauth2 token, which it will use as a bearer token for the GET request.
    For now I'll implement a GCP and Azure helper (purely because those are the only 2 environments I have access to test on). But the cred interface should be simple enough for anyone to implement and contribute.

@zhoufenqin
Copy link
Author

support managed identity first, workload identity priority is lower than managed identity in our case now

@chenbh
Copy link
Contributor

chenbh commented May 14, 2024

Would azidentity.DefaultAzureCredentials work instead of azidentity.ManagedIdentityCredential? It looks it's the recommended approach by the SDK and will fall back to Managed Identity if none of the other options work.

@zhoufenqin
Copy link
Author

zhoufenqin commented May 16, 2024

yes, it works

@zhoufenqin
Copy link
Author

@chenbh Do you know which kpack version will release this feature, I didn't see the version tag in PR

@chenbh
Copy link
Contributor

chenbh commented Jun 17, 2024

@zhoufenqin this feature was released in v0.14.0, but you probably want v0.14.1 which has the fix in #1637

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants