Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

VAULT-14644 Add support for Azure WIF auth to auto-auth (for Agent and Proxy) #22264

Merged
merged 11 commits into from Aug 10, 2023
Merged

VAULT-14644 Add support for Azure WIF auth to auto-auth (for Agent and Proxy) #22264

merged 11 commits into from Aug 10, 2023

Conversation

VioletHynes
Copy link
Contributor

@VioletHynes VioletHynes commented Aug 9, 2023
edited

This, together with the plugin changes included in the go.mod, should enable Vault Agent and Proxy to use Azure Workload Identity Federation for authentication.

I used the following for a successful WIF login:

    auto_auth {
      method {
        type      = "azure"
        config = {
          authenticate_from_environment = true
          role = "dev-role"
          resource = "https://management.azure.com/"
        }
      }
    }

Tested in our legacy Azure tenant with Vault and Agent running in K8S, with WIF enabled, e.g.:

kubectl apply -f - <<EOF
apiVersion: v1
kind: Pod
metadata:
  name: vault-agent
  labels:
    azure.workload.identity/use: "true"
spec:
  serviceAccountName: vault-agent-service-account
  containers:
  - name: vault-agent
    image:  violethyneshashicorp/vault:aks14
    args:
    - agent
    - -config=/etc/config/agent-config.hcl
    volumeMounts:
    - name: config-volume
      mountPath: /etc/config
  volumes:
    - name: config-volume
      configMap:
        name: agent-config
EOF

I couldn't see a good way to test these changes, as it essentially entirely relies on Azure APIs. We don't have any right now, either, likely for similar reasons. I'm open to suggestions, but I worry it might get mock-crazy.

@github-actions github-actions bot added the hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed label Aug 9, 2023
@VioletHynes VioletHynes added this to the 1.14.2 milestone Aug 9, 2023
@VioletHynes VioletHynes marked this pull request as ready for review August 9, 2023 18:56
@VioletHynes VioletHynes requested a review from a team as a code owner August 9, 2023 18:56
@github-actions
Copy link

github-actions bot commented Aug 9, 2023

CI Results:
All Go tests succeeded! ✅

peteski22
peteski22 approved these changes Aug 10, 2023
View reviewed changes
Copy link
Contributor

@peteski22 peteski22 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM added a few suggestions 😄

command/agentproxyshared/auth/azure/azure.go Show resolved Hide resolved
command/agentproxyshared/auth/azure/azure.go
Comment on lines +210 to +211
// getTokenFromIdentityEndpoint is kept for backwards compatibility purposes. Using the
// newer APIs and the Azure SDK should be preferred over this mechanism.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// getTokenFromIdentityEndpoint is kept for backwards compatibility purposes. Using the
// newer APIs and the Azure SDK should be preferred over this mechanism.
// getTokenFromIdentityEndpoint is kept for backwards compatibility purposes. Using the
// newer APIs and the Azure SDK should be preferred over this mechanism.
// Deprecated: use getAzureTokenFromEnvironment.

Should we mark this with deprecated to give folks a warning in their IDE?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know that it's deprecated, per se - it's the 'old'/'legacy' way of doing things but I don't think it's deprecated from a Vault-product standpoint or an Azure product standpoint.

website/content/docs/agent-and-proxy/autoauth/methods/azure.mdx Outdated Show resolved Hide resolved
website/content/docs/agent-and-proxy/autoauth/methods/azure.mdx Outdated Show resolved Hide resolved
website/content/docs/agent-and-proxy/autoauth/methods/azure.mdx Outdated Show resolved Hide resolved
@github-actions
Copy link

Build Results:
All builds succeeded! ✅

@VioletHynes VioletHynes merged commit 7e5f2ce into main Aug 10, 2023
100 checks passed
@VioletHynes VioletHynes deleted the violethynes/VAULT-14644 branch August 10, 2023 14:28
@VioletHynes VioletHynes added the backport/1.14.x Backport changes to `release/1.14.x` label Aug 10, 2023
Merged
hellobontempo pushed a commit that referenced this pull request Aug 18, 2023
@VioletHynes @hellobontempo
VAULT-14644 Add support for Azure WIF auth to auto-auth (for Agent an…
ad17609 
…d Proxy) (#22264)

* VAULT-14644 first draft of changes for WIF support

* VAULT-14644 Potentially finalize Agent work for WIF support

* VAULT-14644 finishing touches

* VAULT-14644 finishing touches

* VAULT-14644 remove extra log

* VAULT-14644 better docs

* VAULT-14644 changelog

* VAULT-14644 review feedback
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@peteski22 peteski22 peteski22 approved these changes

@kpcraig kpcraig Awaiting requested review from kpcraig

@marcboudreau marcboudreau Awaiting requested review from marcboudreau

Assignees
No one assigned
Labels
backport/1.14.x Backport changes to `release/1.14.x` hashicorp-contributed-pr If the PR is HashiCorp (i.e. not-community) contributed
Projects
None yet
Milestone
1.14.2
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@VioletHynes @peteski22