Connect to Azure Storage account using Managed identity and not Account key.

[SebastianClaesson]

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request.
If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Description

The Azure ARM VHD plugin for packer will try to use the account key instead of leveraging the Managed Identity of the VM/VMSS.
In the azure_client.go on row 279 is the definition of the Azure Storage Account connection using an account key.
There could be implemented a check to see if client id/secret is set or if another variable (use_azure_msi?) is set, to support true managed identity integration to interact with the storage account, thus excluding the need for Account keys/SAS tokens, and only allow Azure AD integration.

Use Case(s)

To allow "true" managed identity integration when trying to create a golden image and upload it as a VHD.
Microsoft recommendations are to disallow the use of Account keys.

Potential References

How to set the Managed identity using Azure SDK for go.
https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential

Example:

func Example_client_NewClient() {
	// this example uses Azure Active Directory (AAD) to authenticate with Azure Blob Storage
	accountName, ok := os.LookupEnv("AZURE_STORAGE_ACCOUNT_NAME")
	if !ok {
		panic("AZURE_STORAGE_ACCOUNT_NAME could not be found")
	}
	serviceURL := fmt.Sprintf("https://%s.blob.core.windows.net/", accountName)

	// https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	handleError(err)

	client, err := azblob.NewClient(serviceURL, cred, nil)
	handleError(err)

	fmt.Println(client.URL())
}