GCP and Azure Login methods for Go client library #13022
Conversation
…ing, add timeouts
api/auth/azure/azure.go
Outdated
| // for a list of valid environments. | ||
| func WithCloud(cloud azure.Environment) LoginOption { | ||
| return func(a *AzureAuth) error { | ||
| a.resource = cloud.ResourceManagerEndpoint |
There was a problem hiding this comment.
I think something like WithResource makes sense here instead of WithCloud. From the context of this library, the resource is used as a query parameter when requesting an access token from the Azure instance metadata service (IMDS). This value determines the API access that's given to the token (see resource parameter description).
Ultimately, this must match what was configured as the resource for the plugin config, since it'll be expected to appear as the aud claim on the access token (JWT). See the validation code on the plugin side.
There was a problem hiding this comment.
cc @elsesiy I've changed this back to WithResource(url string) because as Austin explained to me, this value is just used to populate the aud claim so it needs to match whatever URL the auth backend was configured with. (Which may not actually be an Azure URL, it just depends on what the one who configured Vault set it as.) No Azure API access is specifically given.
Users are still welcome to use the autorest constants you mentioned to populate the string though if they know theirs is an Azure one.
resource is admittedly a confusing field all around. I'm keeping the default as the Azure public cloud ARM endpoint just to help those users who probably configured their Vault servers with it since that's what "resource" usually means to them.
| @@ -0,0 +1,184 @@ | |||
| package gcp | |||
There was a problem hiding this comment.
It would be cool to eventually replace the login helper (see cli.go) in the plugin with this code. It'd make it quick to add support for obtaining GCE tokens from within GCE instances 👍
| } | ||
| } | ||
|
|
||
| func WithIAMAuth(serviceAccountEmail string) LoginOption { |
There was a problem hiding this comment.
It'd be cool to also have an option to just supply a JWT. For example, you can obtain a signed JWT using gcloud or curl (examples). Not a blocker though, can always add this later.
| @@ -0,0 +1,3 @@ | |||
| ```release-note:improvement | |||
| implements Login method in Go client libraries for GCP and Azure auth methods | |||
There was a problem hiding this comment.
Just a note for next time - we'd want this file to have a submodule as a prefix to this line - in this case, it would be something like: api: Implement Login method in...
I'll tag you as a reviewer on an ENT PR so the changelog will format properly.
There was a problem hiding this comment.
Ah, sorry about that!
* Add native Login method for GCP auth backend * Add native Login method for Azure auth backend * Add changelog entry * Use official azure library Environment struct rather than passing string, add timeouts * Use v1.3.0 which now has interface definition * Don't throw away error and close resp body * Back to WithResource so we can support non-Azure URLs for aud
Continuing with the addition of native Login methods for each auth method to the Go client library, in order to simplify the authentication process for users who may struggle to craft the login request body on their own. As before, there is one module per auth method.