Skip to content

Commit

Permalink
[Identity] Add support for Bridge to Kubernetes to ManagedIdentityCre…
Browse files Browse the repository at this point in the history
…dential (#15856)

* [Identity] Add support for Bridge to Kubernetes to ManagedIdentityCredential

* one very simple test

* forgot this line
  • Loading branch information
sadasant authored Jun 28, 2021
1 parent 8919e6a commit ec4abba
Show file tree
Hide file tree
Showing 3 changed files with 19 additions and 2 deletions.
1 change: 1 addition & 0 deletions sdk/identity/identity/CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -37,6 +37,7 @@
- `AuthenticationRequiredError` (introduced in 2.0.0-beta.1) now has the same impact on `ChainedTokenCredential` as the `CredentialUnavailableError` which is to allow the next credential in the chain to be tried.
- `ManagedIdentityCredential` now retries with exponential back-off when a request for a token fails with a 404 status code on environments with available IMDS endpoints.
- Added an `AzurePowerShellCredential` which will use the authenticated user session from the `Az.Account` PowerShell module. This credential will attempt to use PowerShell Core by calling `pwsh`, and on Windows it will fall back to Windows PowerShell (`powershell`) if PowerShell Core is not available.
- Added support to `ManagedIdentityCredential` for Bridge to Kubernetes local development authentication.

### Breaking changes from 2.0.0-beta.1

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -44,7 +44,7 @@ function prepareRequestOptions(resource?: string, clientId?: string): RequestPre
}

return {
url: imdsEndpoint,
url: process.env.AZURE_POD_IDENTITY_TOKEN_URL ?? imdsEndpoint,
method: "GET",
queryParameters,
headers: {
Expand Down Expand Up @@ -73,6 +73,11 @@ export const imdsMsi: MSI = {
getTokenOptions
);

// if the PodIdenityEndpoint environment variable was set no need to probe the endpoint, it can be assumed to exist
if (process.env.AZURE_POD_IDENTITY_TOKEN_URL) {
return true;
}

const request = prepareRequestOptions(resource, clientId);

// This will always be populated, but let's make TypeScript happy
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,10 @@ import {
import { MockAuthHttpClient, MockAuthHttpClientOptions, assertRejects } from "../../authTestUtils";
import { OAuthErrorResponse } from "../../../src/client/errors";
import Sinon from "sinon";
import { imdsMsiRetryConfig } from "../../../src/credentials/managedIdentityCredential/imdsMsi";
import {
imdsMsi,
imdsMsiRetryConfig
} from "../../../src/credentials/managedIdentityCredential/imdsMsi";
import { mkdtempSync, rmdirSync, unlinkSync, writeFileSync } from "fs";
import { join } from "path";
import { tmpdir } from "os";
Expand All @@ -37,6 +40,7 @@ describe("ManagedIdentityCredential", function() {
delete process.env.MSI_SECRET;
delete process.env.IDENTITY_SERVER_THUMBPRINT;
delete process.env.IMDS_ENDPOINT;
delete process.env.AZURE_POD_IDENTITY_TOKEN_URL;
sandbox = Sinon.createSandbox();
});
afterEach(() => {
Expand All @@ -47,6 +51,7 @@ describe("ManagedIdentityCredential", function() {
process.env.MSI_SECRET = env.MSI_SECRET;
process.env.IDENTITY_SERVER_THUMBPRINT = env.IDENTITY_SERVER_THUMBPRINT;
process.env.IMDS_ENDPOINT = env.IMDS_ENDPOINT;
process.env.AZURE_POD_IDENTITY_TOKEN_URL = env.AZURE_POD_IDENTITY_TOKEN_URL;
sandbox.restore();
});

Expand Down Expand Up @@ -244,6 +249,12 @@ describe("ManagedIdentityCredential", function() {
clock.restore();
});

it("IMDS MSI skips verification if the AZURE_POD_IDENTITY_TOKEN_URL environment variable is available", async function() {
process.env.AZURE_POD_IDENTITY_TOKEN_URL = "token URL";

assert.ok(await imdsMsi.isAvailable());
});

// Unavailable exception throws while IMDS endpoint is unavailable. This test not valid.
// it("can extend timeout for IMDS endpoint", async function() {
// // Mock a timeout so that the endpoint ping fails
Expand Down

0 comments on commit ec4abba

Please sign in to comment.