Skip to content

Commit

Permalink
Add ManagedIdentity with AZURE_CLIENT_ID
Browse files Browse the repository at this point in the history
This ensures the Managed Identity authentication works with multiple
identities assigned to a single node.

Signed-off-by: Hidde Beydals <hello@hidde.co>
  • Loading branch information
hiddeco committed Mar 8, 2022
1 parent cfa4c81 commit 7bc42a5
Showing 1 changed file with 15 additions and 1 deletion.
16 changes: 15 additions & 1 deletion pkg/azure/blob.go
Original file line number Diff line number Diff line change
Expand Up @@ -115,10 +115,15 @@ func NewClient(obj *sourcev1.Bucket, secret *corev1.Secret) (c *BlobClient, err
// Compose token chain based on environment.
// This functions as a replacement for azidentity.NewDefaultAzureCredential
// to not shell out.
if token, err = chainCredentialWithSecret(secret); err != nil {
token, err = chainCredentialWithSecret(secret)
if err != nil {
err = fmt.Errorf("failed to create environment credential chain: %w", err)
return nil, err
}
if token != nil {
c.ServiceClient, err = azblob.NewServiceClient(obj.Spec.Endpoint, token, nil)
return
}

// Fallback to simple client.
c.ServiceClient, err = azblob.NewServiceClientWithNoCredential(obj.Spec.Endpoint, nil)
Expand Down Expand Up @@ -353,6 +358,8 @@ func sharedCredentialFromSecret(endpoint string, secret *corev1.Secret) (*azblob
// azidentity.ChainedTokenCredential if at least one of the following tokens was
// successfully created:
// - azidentity.EnvironmentCredential
// - azidentity.ManagedIdentityCredential with Client ID from AZURE_CLIENT_ID
// environment variable, if found.
// - azidentity.ManagedIdentityCredential
// If a Secret with an `authorityHost` is provided, this is set on the
// azidentity.EnvironmentCredentialOptions. It may return nil.
Expand All @@ -369,6 +376,13 @@ func chainCredentialWithSecret(secret *corev1.Secret) (azcore.TokenCredential, e
if token, _ := azidentity.NewEnvironmentCredential(credOpts); token != nil {
creds = append(creds, token)
}
if clientID := os.Getenv("AZURE_CLIENT_ID"); clientID != "" {
if token, _ := azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
ID: azidentity.ClientID(clientID),
}); token != nil {
creds = append(creds, token)
}
}
if token, _ := azidentity.NewManagedIdentityCredential(nil); token != nil {
creds = append(creds, token)
}
Expand Down

0 comments on commit 7bc42a5

Please sign in to comment.