Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[QUERY]|Using shared images across tenants. #3819

Closed
darc1 opened this issue Jun 4, 2019 · 8 comments
Closed

[QUERY]|Using shared images across tenants. #3819

darc1 opened this issue Jun 4, 2019 · 8 comments
Labels
Compute - VM customer-reported Issues that are reported by GitHub users external to the Azure organization. Mgmt This issue is related to a management-plane library. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team.

Comments

@darc1
Copy link

darc1 commented Jun 4, 2019

Query/Question
I want to use images between tenants using shared image galleries, as described in here using the java sdk, both there is no documentation as to how authentication to 2 different tenants can be done.

Why is this not a Bug or a feature Request?
This can be done using the azure cli, and rest api. I already have a shared image created and the app registration setup, I'm missing on how to deploy the image to a different tenant. These are the steps using the cli:

az account clear
az login --service-principal -u '<app ID>' -p '<Secret>' --tenant '<tenant 1 ID>'
az account get-access-token

az login --service-principal -u '<app ID>' -p '<Secret>' --tenant '<tenant 2 ID>'
az account get-access-token

az vm create \
  --resource-group myResourceGroup \
  --name myVM \
  --image "/subscriptions/<Tenant 1 subscription>/resourceGroups/<Resource group>/providers/Microsoft.Compute/galleries/<Gallery>/images/<Image definition>/versions/<version>" \
  --admin-username azureuser \
  --generate-ssh-keys

Setup (please complete the following information if applicable):

  • OS: ubuntu
  • IDE : intelliJ
  • Version of the Library used : 1.22.0
@kurtzeborn kurtzeborn added Compute - VM customer-reported Issues that are reported by GitHub users external to the Azure organization. Mgmt This issue is related to a management-plane library. Service Attention Workflow: This issue is responsible by Azure service team. labels Jun 5, 2019
@kurtzeborn
Copy link
Member

Thank you for opening this issue! We are routing it to the appropriate team for follow up.

@darc1
Copy link
Author

darc1 commented Jun 6, 2019

I found the solution, need to use the RestClient

RestClient client = new RestClient.Builder()
                .withBaseUrl(azCredentials.environment(), AzureEnvironment.Endpoint.RESOURCE_MANAGER)
                .withCredentials(azCredentials)
                .withSerializerAdapter(new AzureJacksonAdapter())
                .withResponseBuilderFactory(new AzureResponseBuilder.Factory())
                .withInterceptor(new ProviderRegistrationInterceptor(azCredentials))
                .withInterceptor(new ResourceManagerThrottlingInterceptor())
                .build();

Azure azure = Azure.authenticate(restClient,
                credentials.getTenant()).withSubscription(credentials.getSubscriptionId());

final static String AUTHORITY = "https://login.microsoftonline.com/{0}/oauth2/token";
final String RESOURCE = "https://management.core.windows.net/";
String authority = MessageFormat.format(AUTHORITY, sharedImageTenantId);
AuthenticationContext context = new AuthenticationContext(authority, false, Executors.newFixedThreadPool(1));
ClientCredential clientCredential = new ClientCredential(clientId, secret);
String accessToken = context.acquireToken(RESOURCE, clientCredential, null).get().getAccessToken();
String serviceToken = MessageFormat.format("Bearer {0}", accessToken);
client.headers().addHeader("x-ms-authorization-auxiliary", serviceToken);

create virtual machine with shared image will work now.
it would be great if we cloud just add custom headers to the create VM request.

@paulojohnj
Copy link

paulojohnj commented Jun 17, 2019

Out of curiosity @darc1 were you able to list resources that you have shared access to? or only launch the vm in this specific context. As in could the authenticated session allow for the listening of all image galleries you have access to:

azure.imageGalleries().list() returning both your own gallery and the one that you were given shared access to

Update: believe I answered my own question, you can list "shared access" resources if you authenticate against that tenant and subscription id

@mjconnection mjconnection added the question The issue doesn't require a change to the product in order to be resolved. Most issues start as that label Jun 17, 2019
@mjconnection
Copy link

@darc1 - Thanks for posting your question. It appears that you have resolved your own issue. Please let us know if there is anything else that you need.

@ADanciulescu
Copy link

+1 for Darc1's workaround worked for me. Are there any plans to support a more official solution to the multi-tenant authentication or is this the intended long-term method?

Also note, the token expires after an hour as the login is not done using service principal so I had to periodically refresh the token by running

client.headers().replaceHeader("x-ms-authorization-auxiliary", newToken);

@jianghaolu
Copy link
Contributor

We will attempt a more elegant solution via #6040.

@joshfree
Copy link
Member

Tagging @yaohaizh since this is management plane. @yaohaizh could you share more of the management plane SDK plans for migrating to newer track-2 azure-identity for picking up newer identity support / capabilities for folks who are finding this bug post online and looking for more information?

@weidongxu-microsoft
Copy link
Member

Java supports this (yaohao did the first implementation about 2 years ago Azure/azure-libraries-for-java#884)

            AzureResourceManager azureResourceManager = AzureResourceManager
                .configure()
                .withAuxiliaryCredential(anotherTokenCredential)
                .authenticate(credential, profile)
                .withDefaultSubscription();

alternatively this can be a list of TokenCredential.

There is a few bug fix and improvements afterwards, and same logic is in now in azure-resourcemanager as well.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Compute - VM customer-reported Issues that are reported by GitHub users external to the Azure organization. Mgmt This issue is related to a management-plane library. question The issue doesn't require a change to the product in order to be resolved. Most issues start as that Service Attention Workflow: This issue is responsible by Azure service team.
Projects
None yet
Development

No branches or pull requests

8 participants