Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Authentication Issue: azure.azcollection.azure_rm_storageblob Fails with Disabled Shared Keys #1564

Merged
merged 4 commits into from
May 22, 2024
Merged

Fix: Authentication Issue: azure.azcollection.azure_rm_storageblob Fails with Disabled Shared Keys #1564

merged 4 commits into from
May 22, 2024

Conversation

paronbol
Copy link
Contributor

SUMMARY

PR in order to fix the feature of accessing storage blobs without SAS/key.
It is related with: #1255

ISSUE TYPE
  • Bugfix Pull Request
COMPONENT NAME
  • azure.azcollection.azure_rm_storageblob
  • plugins/module_utils/azure_rm_common.py
ADDITIONAL INFORMATION

Now the access without SAS is supported by environment variables and cli

@pauronda-visma pauronda-visma mentioned this pull request May 16, 2024
Closed
Fred-sun
Fred-sun reviewed May 17, 2024
View reviewed changes
Copy link
Collaborator

@Fred-sun Fred-sun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@paronbol This certainly is not reasonable, you through the client_secret. ClientSecretCredential is not authorized to obtain credentials, cannot manage a blob of resources. Thanks!

plugins/module_utils/azure_rm_common.py Outdated Show resolved Hide resolved
plugins/module_utils/azure_rm_common.py Show resolved Hide resolved
@Fred-sun Fred-sun added question Further information is requested medium_priority Medium priority work in In trying to solve, or in working with contributors labels May 17, 2024
@paronbol
Copy link
Contributor Author

paronbol commented May 17, 2024
edited
Loading

@paronbol This certainly is not reasonable, you through the client_secret. ClientSecretCredential is not authorized to obtain credentials, cannot manage a blob of resources. Thanks!

Hi @Fred-sun, thank you for your support.

I propose to use client_secret.ClientSecretCredential() because is exactly the same method used in the working AzureCLI credentials method for the api rest in get_mgmt_svc_client().
Even is not required to import it.
It is used in:

azure/plugins/module_utils/azure_rm_common.py

Lines 1505 to 1510 in 5191b94

self.azure_credential_track2 = client_secret.ClientSecretCredential(client_id=self.credentials['client_id'],
client_secret=self.credentials['secret'],
tenant_id=self.credentials['tenant'],
authority=self._adfs_authority_url,
disable_instance_discovery=self._disable_instance_discovery)

MS Documentation of the ClientSecretCredential Class

Source Code of the class

I tried on a real blob storage and worked. The class is able to obtain credentials to manage blob resources.
But maybe you need the properly configure RBAC right to access through Microsft Entra ID, in my case is a Service Principal.
More info in MS documentation

MS for security recommends to disable SAS and use login or shared key when it is not possible. This is the importance of supporting this feature.

@Fred-sun
Copy link
Collaborator

@paronbol What you refer to configuring RBAC access, can you be more specific? I don't quite understand the authorization you said, thank you!

@paronbol
Copy link
Contributor Author

In order to provide access to Service Principal into a Blob Storage you need to provide data access using a role, e.g. Storage Blob Data Contributor role
More info in MS documentation

@Fred-sun
Copy link
Collaborator

@paronbol I assigned the role, but the mistake is still, I am investigating the reason, thank you!

@Fred-sun Fred-sun added ready_for_review The PR has been modified and can be reviewed and merged and removed work in In trying to solve, or in working with contributors labels May 20, 2024
@xuzhang3 xuzhang3 merged commit 5571a07 into ansible-collections:dev May 22, 2024
Justwmz pushed a commit to Justwmz/azure that referenced this pull request Nov 4, 2024
@paronbol @Fred-sun @Justwmz
Fix: Authentication Issue: azure.azcollection.azure_rm_storageblob Fa…
2d4d16d 
…ils with Disabled Shared Keys (ansible-collections#1564)

* Fix: Authentication Issue: azure.azcollection.azure_rm_storageblob Fails with Disabled Shared Keys

* Fix whitespace typo plugins/module_utils/azure_rm_common.py

Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com>

* Fix visual indent azure_rm_common.py

---------

Co-authored-by: Fred-sun <37327967+Fred-sun@users.noreply.github.com>
@Ratanavery
Copy link

Hi, I am facing an issue when trying to use "auth_source: msi" for downloading the azure storage blob.

Looks like it always defaults to storage account key based access and when i use "auth_mode: login", it asks for msgraph module (where I think it will try to login) but msi doesn`t need to do any login.

PS:
I am able to use the azure key vault without any issues using the MSI.

@Fred-sun
Copy link
Collaborator

@Ratanavery Thank for your feedback! Welcome to submit your problems!

@xuzhang3
Copy link
Collaborator

@Ratanavery Which value did you set for auth_mode? The default is key

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Fred-sun Fred-sun Fred-sun left review comments

@xuzhang3 xuzhang3 xuzhang3 approved these changes

Assignees

@xuzhang3 xuzhang3

Labels
medium_priority Medium priority question Further information is requested ready_for_review The PR has been modified and can be reviewed and merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@paronbol @Fred-sun @Ratanavery @xuzhang3