Skip to content

Commit

Permalink
Add ManagedIdentity with AZURE_CLIENT_ID
Browse files Browse the repository at this point in the history
This ensures the Managed Identity authentication works with multiple
identities assigned to a single node.

Signed-off-by: Hidde Beydals <hello@hidde.co>
  • Loading branch information
hiddeco committed Mar 8, 2022
1 parent d7ce679 commit ccb65c7
Showing 1 changed file with 17 additions and 17 deletions.
34 changes: 17 additions & 17 deletions pkg/azure/blob.go
Original file line number Diff line number Diff line change
Expand Up @@ -66,22 +66,16 @@ type BlobClient struct {
//
// - azidentity.ClientSecretCredential when `tenantId`, `clientId` and
// `clientSecret` fields are found.
// - azidentity.ClientSecretCredential when `tenant`, `appId` and `password`
// fields are found. To match with the JSON from:
// https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal
// - azidentity.ClientCertificateCredential when `tenantId`,
// `clientCertificate` (and optionally `clientCertificatePassword`) fields
// are found.
// - azidentity.ManagedIdentityCredential for a User ID, when a `clientId`
// field but no `tenantId` is found.
// - azidentity.ManagedIdentityCredential for a Resource ID, when a
// `resourceId` field is found.
// - azblob.SharedKeyCredential when an `accountKey` field is found.
// - azblob.SharedKeyCredential when an `accountKey` field is found.
// The account name is extracted from the endpoint specified on the Bucket
// object.
// - azidentity.ChainedTokenCredential with azidentity.EnvironmentCredential
// and azidentity.ManagedIdentityCredential with defaults if no Secret is
// given.
// and azidentity.ManagedIdentityCredential.
//
// If no credentials are found, and the azidentity.ChainedTokenCredential can
// not be established. A simple client without credentials is returned.
Expand Down Expand Up @@ -292,16 +286,11 @@ func (c *BlobClient) ObjectIsNotFound(err error) bool {
// based on the data fields of the given Secret. It returns, in order:
// - azidentity.ClientSecretCredential when `tenantId`, `clientId` and
// `clientSecret` fields are found.
// - azidentity.ClientSecretCredential when `tenant`, `appId` and `password`
// fields are found. To match with the JSON from:
// https://docs.microsoft.com/en-us/azure/aks/kubernetes-service-principal?tabs=azure-cli#manually-create-a-service-principal
// - azidentity.ClientCertificateCredential when `tenantId`,
// `clientCertificate` (and optionally `clientCertificatePassword`) fields
// are found.
// - azidentity.ManagedIdentityCredential for a User ID, when a `clientId`
// field but no `tenantId` is found.
// - azidentity.ManagedIdentityCredential for a Resource ID, when a
// `resourceId` field is found.
// - Nil, if no valid set of credential fields was found.
func tokenCredentialFromSecret(secret *corev1.Secret) (azcore.TokenCredential, error) {
if secret == nil {
Expand Down Expand Up @@ -357,10 +346,14 @@ func sharedCredentialFromSecret(endpoint string, secret *corev1.Secret) (*azblob
// chainCredentialWithSecret tries to create a set of tokens, and returns an
// azidentity.ChainedTokenCredential if at least one of the following tokens was
// successfully created:
// - azidentity.EnvironmentCredential
// - azidentity.ManagedIdentityCredential
// If a Secret with an `authorityHost` is provided, this is set on the
// azidentity.EnvironmentCredentialOptions. It may return nil.
//
// - azidentity.EnvironmentCredential with `authorityHost` from Secret, if
// provided.
// - azidentity.ManagedIdentityCredential with Client ID from AZURE_CLIENT_ID
// environment variable, if found.
// - azidentity.ManagedIdentityCredential with defaults.
//
// If no valid token is created, it returns nil.
func chainCredentialWithSecret(secret *corev1.Secret) (azcore.TokenCredential, error) {
var creds []azcore.TokenCredential

Expand All @@ -374,6 +367,13 @@ func chainCredentialWithSecret(secret *corev1.Secret) (azcore.TokenCredential, e
if token, _ := azidentity.NewEnvironmentCredential(credOpts); token != nil {
creds = append(creds, token)
}
if clientID := os.Getenv("AZURE_CLIENT_ID"); clientID != "" {
if token, _ := azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
ID: azidentity.ClientID(clientID),
}); token != nil {
creds = append(creds, token)
}
}
if token, _ := azidentity.NewManagedIdentityCredential(nil); token != nil {
creds = append(creds, token)
}
Expand Down

0 comments on commit ccb65c7

Please sign in to comment.