Skip to content
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
59 lines (46 sloc) 3.01 KB

Server plugin: NodeResolver "azure_msi"

Must be used in conjunction with the server azure_msi nodeattestor plugin

The azure_msi plugin attests resolves nodes running in Microsoft Azure that have attested using Managed Service Identity (MSI). The resolver extracts the Tenant ID and Principal ID from the agent SPIFFE ID and uses the various Azure services to get information for building a set of selectors.

The set of selectors current supported:

Selector Example Description
Subscription ID subscription-id:d5b40d61-272e-48da-beb9-05f295c42bd6 The subscription the node belongs to
Virtual Machine Name vm-name:frontend:blog The name of the virtual machine (e.g. blog) qualified by the resource group (e.g. frontend)
Network Security Group network-security-group:frontend:webservers The name of the network security group (e.g. webservers) qualified by the resource group (e.g. frontend)
Virtual Network virtual-network:frontend:vnet The name of the virtual network (e.g. vnet) qualified by the resource group (e.g. frontend)
Virtual Network Subnet virtual-network:frontend:vnet:default The name of the virtual network subnet (e.g. default) qualfied by the virtual network and resource group

All of the selectors have the type azure_msi.

The server plugin does not need to be running in Azure in order to perform node resolution. The plugin can be configured to authenticate with Azure services using either MSI or credentials for an application registered in an Azure AD tenant. If MSI is used for authentication, only resolver will only be able to resolve nodes within the same tenant.

Configuration Description Default
use_msi Whether or not to use MSI to authenticate to Azure services. If true, the tenants map must be empty. false
tenants A map of tenants, keyed by tenant ID. use_msi must be false if this value is set.

Each tenant in the tenant configuration map supports the following:

Configuration Description Default
subscription_id The subscription the tenant resides in
app_id The application id
app_secret The application secret

A sample configuration:

    NodeResolver "azure_msi" {
        enabled = true
        plugin_data {
            use_msi = false
            tenants = {
                TENANT_ID = {
                    subscription_id = SUBSCRIPTION_ID
                    app_id = APP_ID
                    app_secret = APP_SECRET
You can’t perform that action at this time.