From 88cad135d5a4ced1bcf38138aa2fc21278a54ca8 Mon Sep 17 00:00:00 2001 From: Austin Gebauer Date: Tue, 22 Feb 2022 16:56:49 -0800 Subject: [PATCH 1/6] agent/azure: adds ability to use specific user assigned managed identity for auto auth --- command/agent/auth/azure/azure.go | 32 +++++++++++++++++-- .../docs/agent/autoauth/methods/azure.mdx | 10 ++++++ 2 files changed, 39 insertions(+), 3 deletions(-) diff --git a/command/agent/auth/azure/azure.go b/command/agent/auth/azure/azure.go index bc01e561f38d..6d2fd9096118 100644 --- a/command/agent/auth/azure/azure.go +++ b/command/agent/auth/azure/azure.go @@ -30,6 +30,8 @@ type azureMethod struct { role string resource string + objectID string + clientID string } func NewAzureAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) { @@ -63,11 +65,29 @@ func NewAzureAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) { return nil, errors.New("could not convert 'resource' config value to string") } + objectIDRaw, ok := conf.Config["object_id"] + if ok { + a.objectID, ok = objectIDRaw.(string) + if !ok { + return nil, errors.New("could not convert 'object_id' config value to string") + } + } + + clientIDRaw, ok := conf.Config["client_id"] + if ok { + a.clientID, ok = clientIDRaw.(string) + if !ok { + return nil, errors.New("could not convert 'client_id' config value to string") + } + } + switch { case a.role == "": return nil, errors.New("'role' value is empty") case a.resource == "": return nil, errors.New("'resource' value is empty") + case a.objectID != "" && a.clientID != "": + return nil, errors.New("only one of 'object_id' or 'client_id' can be set") } return a, nil @@ -86,7 +106,7 @@ func (a *azureMethod) Authenticate(ctx context.Context, client *api.Client) (ret } } - body, err := getMetadataInfo(ctx, instanceEndpoint, "") + body, err := getMetadataInfo(ctx, instanceEndpoint, "", "", "") if err != nil { retErr = err return @@ -103,7 +123,7 @@ func (a *azureMethod) Authenticate(ctx context.Context, client *api.Client) (ret AccessToken string `json:"access_token"` } - body, err = getMetadataInfo(ctx, identityEndpoint, a.resource) + body, err = getMetadataInfo(ctx, identityEndpoint, a.resource, a.objectID, a.clientID) if err != nil { retErr = err return @@ -138,7 +158,7 @@ func (a *azureMethod) CredSuccess() { func (a *azureMethod) Shutdown() { } -func getMetadataInfo(ctx context.Context, endpoint, resource string) ([]byte, error) { +func getMetadataInfo(ctx context.Context, endpoint, resource, objectID, clientID string) ([]byte, error) { req, err := http.NewRequest("GET", endpoint, nil) if err != nil { return nil, err @@ -149,6 +169,12 @@ func getMetadataInfo(ctx context.Context, endpoint, resource string) ([]byte, er if resource != "" { q.Add("resource", resource) } + if objectID != "" { + q.Add("object_id", objectID) + } + if clientID != "" { + q.Add("client_id", clientID) + } req.URL.RawQuery = q.Encode() req.Header.Set("Metadata", "true") req.Header.Set("User-Agent", useragent.String()) diff --git a/website/content/docs/agent/autoauth/methods/azure.mdx b/website/content/docs/agent/autoauth/methods/azure.mdx index b2a0abb5830c..a897d5eaf7dd 100644 --- a/website/content/docs/agent/autoauth/methods/azure.mdx +++ b/website/content/docs/agent/autoauth/methods/azure.mdx @@ -17,3 +17,13 @@ on the value of the `resource` parameter. - `role` `(string: required)` - The role to authenticate against on Vault - `resource` `(string: required)` - The resource name to use when getting instance information + +- `object_id` `(string: optional)` - The object ID of the user-assigned managed identity to use + when acquiring an [access token](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http). + This parameter is interchangeable with `client_id`. Only one of `object_id` and `client_id` can + be set. + +- `client_id` `(string: optional)` - The client ID of the user-assigned managed identity to use + when acquiring an [access token](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http). + This parameter is interchangeable with `object_id`. Only one of `object_id` and `client_id` can + be set. From cd7265def62ebef5e7f5da472d61cb56cf4bd876 Mon Sep 17 00:00:00 2001 From: Austin Gebauer Date: Tue, 22 Feb 2022 17:16:08 -0800 Subject: [PATCH 2/6] add changelog --- changelog/14214.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 changelog/14214.txt diff --git a/changelog/14214.txt b/changelog/14214.txt new file mode 100644 index 000000000000..773b894b4e46 --- /dev/null +++ b/changelog/14214.txt @@ -0,0 +1,3 @@ +```release-note:improvement +agent: Adds ability to configure specific user-assigned managed identities for Azure auto-auth. +``` From 33ba4098da8f6c2495e53bb4fc80b88b29b17e14 Mon Sep 17 00:00:00 2001 From: Austin Gebauer Date: Tue, 22 Feb 2022 17:25:54 -0800 Subject: [PATCH 3/6] change wording in error and docs --- command/agent/auth/azure/azure.go | 2 +- website/content/docs/agent/autoauth/methods/azure.mdx | 6 ++---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/command/agent/auth/azure/azure.go b/command/agent/auth/azure/azure.go index 6d2fd9096118..528e82ffe6cc 100644 --- a/command/agent/auth/azure/azure.go +++ b/command/agent/auth/azure/azure.go @@ -87,7 +87,7 @@ func NewAzureAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) { case a.resource == "": return nil, errors.New("'resource' value is empty") case a.objectID != "" && a.clientID != "": - return nil, errors.New("only one of 'object_id' or 'client_id' can be set") + return nil, errors.New("only one of 'object_id' or 'client_id' may be provided") } return a, nil diff --git a/website/content/docs/agent/autoauth/methods/azure.mdx b/website/content/docs/agent/autoauth/methods/azure.mdx index a897d5eaf7dd..091694a71074 100644 --- a/website/content/docs/agent/autoauth/methods/azure.mdx +++ b/website/content/docs/agent/autoauth/methods/azure.mdx @@ -20,10 +20,8 @@ on the value of the `resource` parameter. - `object_id` `(string: optional)` - The object ID of the user-assigned managed identity to use when acquiring an [access token](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http). - This parameter is interchangeable with `client_id`. Only one of `object_id` and `client_id` can - be set. + This parameter is interchangeable with `client_id`. Only one of `object_id` or `client_id` may be provided. - `client_id` `(string: optional)` - The client ID of the user-assigned managed identity to use when acquiring an [access token](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http). - This parameter is interchangeable with `object_id`. Only one of `object_id` and `client_id` can - be set. + This parameter is interchangeable with `object_id`. Only one of `object_id` or `client_id` may be provided. From e9e844d3445f2c5a8c5ebcd010290324ef776d90 Mon Sep 17 00:00:00 2001 From: Austin Gebauer <34121980+austingebauer@users.noreply.github.com> Date: Wed, 23 Feb 2022 08:55:20 -0800 Subject: [PATCH 4/6] Update website/content/docs/agent/autoauth/methods/azure.mdx Co-authored-by: Theron Voran --- website/content/docs/agent/autoauth/methods/azure.mdx | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/website/content/docs/agent/autoauth/methods/azure.mdx b/website/content/docs/agent/autoauth/methods/azure.mdx index 091694a71074..f2bcea6d6874 100644 --- a/website/content/docs/agent/autoauth/methods/azure.mdx +++ b/website/content/docs/agent/autoauth/methods/azure.mdx @@ -20,8 +20,8 @@ on the value of the `resource` parameter. - `object_id` `(string: optional)` - The object ID of the user-assigned managed identity to use when acquiring an [access token](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http). - This parameter is interchangeable with `client_id`. Only one of `object_id` or `client_id` may be provided. + Only one of `object_id` or `client_id` may be provided. - `client_id` `(string: optional)` - The client ID of the user-assigned managed identity to use when acquiring an [access token](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http). - This parameter is interchangeable with `object_id`. Only one of `object_id` or `client_id` may be provided. + Only one of `object_id` or `client_id` may be provided. From 044f8feafdb24bc10afd33b539cb4d685fdc6684 Mon Sep 17 00:00:00 2001 From: Austin Gebauer <34121980+austingebauer@users.noreply.github.com> Date: Wed, 23 Feb 2022 11:13:55 -0800 Subject: [PATCH 5/6] Update website/content/docs/agent/autoauth/methods/azure.mdx Co-authored-by: Tom Proctor --- website/content/docs/agent/autoauth/methods/azure.mdx | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/website/content/docs/agent/autoauth/methods/azure.mdx b/website/content/docs/agent/autoauth/methods/azure.mdx index f2bcea6d6874..f864ca04ee27 100644 --- a/website/content/docs/agent/autoauth/methods/azure.mdx +++ b/website/content/docs/agent/autoauth/methods/azure.mdx @@ -19,9 +19,11 @@ on the value of the `resource` parameter. - `resource` `(string: required)` - The resource name to use when getting instance information - `object_id` `(string: optional)` - The object ID of the user-assigned managed identity to use - when acquiring an [access token](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http). + when acquiring an [access token][azure-access-token]. Only one of `object_id` or `client_id` may be provided. - `client_id` `(string: optional)` - The client ID of the user-assigned managed identity to use - when acquiring an [access token](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http). + when acquiring an [access token][azure-access-token]. Only one of `object_id` or `client_id` may be provided. + +[azure-access-token]: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http From 3ca18ca201e8085ccff3a8ae3f29478a2532bb38 Mon Sep 17 00:00:00 2001 From: Austin Gebauer Date: Wed, 23 Feb 2022 11:16:31 -0800 Subject: [PATCH 6/6] docs formatting --- website/content/docs/agent/autoauth/methods/azure.mdx | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/website/content/docs/agent/autoauth/methods/azure.mdx b/website/content/docs/agent/autoauth/methods/azure.mdx index f864ca04ee27..d02d0e61e9dd 100644 --- a/website/content/docs/agent/autoauth/methods/azure.mdx +++ b/website/content/docs/agent/autoauth/methods/azure.mdx @@ -19,11 +19,11 @@ on the value of the `resource` parameter. - `resource` `(string: required)` - The resource name to use when getting instance information - `object_id` `(string: optional)` - The object ID of the user-assigned managed identity to use - when acquiring an [access token][azure-access-token]. - Only one of `object_id` or `client_id` may be provided. + when acquiring an [access token][azure-access-token]. Only one of `object_id` or `client_id` + may be provided. - `client_id` `(string: optional)` - The client ID of the user-assigned managed identity to use - when acquiring an [access token][azure-access-token]. - Only one of `object_id` or `client_id` may be provided. - + when acquiring an [access token][azure-access-token]. Only one of `object_id` or `client_id` + may be provided. + [azure-access-token]: https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http