Investigate using Azure Identity over autorest

[stevendborrelli]

What problem are you facing?

The --sdk-auth option in the Azure CLI was deprecated in Azure/azure-cli#19414 and restored in Azure/azure-cli#19872 with a deprecation warning.

As documented in the Crossplane Getting Started Guide, the --sdk-auth option is used to create a JSON file that is compatible with the Go Authentication client we are using go-autorest.

End users who are using the Getting Started guide have started to report the following note when creating service principals:

Option '--sdk-auth' has been deprecated and will be removed in a future release.

The Crossplane provider uses the Azure Go SDK in combination go-autorest. The newest Azure Go Authorization docs indicates that going forward Azure Identity will be used.

Moving forward, authentication for the Azure SDK for Go will be done using the Azure Identity package.

How could Crossplane help solve your problem?

• Reach out to MS to understand the future use of go-autorest
• Investigate if we need to migrate to azidentity.

Related issues:

• (feat): Azure MSI authentication #164
• [Proposal] Use System Managed Identity OR User Managed Identity for AKSCluster #292

[sergenyalcin]

As mentioned in the description this issue, official docs suggest that using the new authorization package: azidentity. At this point we have a prerequisite. We need to update the go sdk version to consume the new authorization tool. Please see this issue: #327 There is a PR for updating this version: #326

To understand the impact of --sdk-auth flag's deprecation, I tested a scenario. I generated credentials without using the --sdk-auth flag and this credentials were used in a provider config. Trying to create a ResourceGroup resource by using the new credentials (without --sdk-auth flag) was unsuccessful. So, it seems that, when the --sdk-auth flag was removed from the cli, we have to change the authorization method.

For this migration (from autorest -> azidentity), we also need to change the used apis. Because the currently used apis (azure-sdk-for-go/services/...) are not compatible with the new authorization method. The following apis are compatible with the azidentity tool: https://github.com/Azure/azure-sdk-for-go/tree/main/sdk/resourcemanager

Therefore, it seems that the size of this change will not be small. Also the possible impacts of this change must be thought carefully (e.g. possible behavior changes...).

[ulucinar]

A related doc resource is here:
https://docs.microsoft.com/en-us/azure/developer/go/azure-sdk-authentication?tabs=bash

I see this issue as a blocker for addressing some other identity-based authentication related issues we have (#164, #329).

[lieberlois]

This seems like its a very important issue - is there any status update on this?

[jbw976]

Hey there @lieberlois, have you been able to take a look at https://github.com/upbound/provider-azure/? It is much more actively maintained than this provider.

[lieberlois]

Hi @jbw976, oh no, I wasnt aware of that ! Thanks for pointing it out!