Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

server/plugins/azure: use the default credentials API #4568

Merged
merged 3 commits into from
Nov 1, 2023
Merged

server/plugins/azure: use the default credentials API #4568

merged 3 commits into from
Nov 1, 2023

Conversation

shashankram
Copy link
Contributor

@shashankram shashankram commented Oct 17, 2023
edited
Loading

Uses the NewDefaultAzureCredential API to fetch
client credentials. This API wraps different
mechanisms to obtain credentials using a chained
token credential mechanism. By doing so, the Azure plugins are able to obtain a token using any of the supported mechanisms: env vars, MSI, workload identity, without needing separate config input for each.

This is a part of #4485 to enable obtaining API tokens using Azure workload identity.

Pull Request check list

  • Commit conforms to CONTRIBUTING.md?
  • Proper tests/regressions included?
  • Documentation updated?

@shashankram shashankram mentioned this pull request Oct 17, 2023
Closed
@shashankram shashankram marked this pull request as ready for review October 23, 2023 14:27
@shashankram
Copy link
Contributor Author

@MarcosDY could you review this soon? This is blocking us from using SPIRE in Azure.

@MarcosDY
Copy link
Collaborator

@shashankram can you resolve DCO?

@shashankram
Copy link
Contributor Author

@shashankram can you resolve DCO?

yes will address your comments and fix DCO

@shashankram
Copy link
Contributor Author

@MarcosDY Had to force-push to fix DCO, I addressed the comments

@shashankram
server/plugins/azure: use the default credentials API
315a490 
Uses the NewDefaultAzureCredential API to fetch
client credentials. This API wraps different
mechanisms to obtain credentials using a chained
token credential mechanism. By doing so, the Azure
plugins are able to obtain a token using any of the
supported mechanisms: env vars, MSI, workload identity,
without needing separate config input for each.

This is a part of spiffe#4485 to enable obtaining API tokens
using Azure workload identity.

Signed-off-by: Shashank Ram <shashr2204@gmail.com>
MarcosDY
MarcosDY previously approved these changes Oct 31, 2023
View reviewed changes
@MarcosDY
Copy link
Collaborator

@shashankram code looks good,
are you planning in update plugin documentation in a separated PR? (we need at least notify that use_msi is deprecated)

@shashankram
Copy link
Contributor Author

@shashankram code looks good, are you planning in update plugin documentation in a separated PR? (we need at least notify that use_msi is deprecated)

I'll push an update to this PR with the doc changes, thanks for the reminder!

@shashankram
docs: deprecate use_msi
ee80ac7 
Signed-off-by: Shashank Ram <shashr2204@gmail.com>
@shashankram
Copy link
Contributor Author

@MarcosDY I updated the docs, let me know if it makes sense to you

@shashankram
Copy link
Contributor Author

There seems to be a few unrelated test flakes. How do I rerun these?

@MarcosDY MarcosDY added this to the 1.8.4 milestone Nov 1, 2023
@MarcosDY MarcosDY merged commit 0d6d42c into spiffe:main Nov 1, 2023
31 checks passed
@shashankram shashankram deleted the az-workload-identity branch November 1, 2023 14:56
@amartinezfayo amartinezfayo removed this from the 1.8.4 milestone Nov 8, 2023
@amartinezfayo amartinezfayo added this to the 1.8.5 milestone Nov 8, 2023
faisal-memon pushed a commit to faisal-memon/spire that referenced this pull request Dec 2, 2023
@shashankram @faisal-memon
server/plugins/azure: use the default credentials API (spiffe#4568)
2b29e3c 
Uses the NewDefaultAzureCredential API to fetch
client credentials. This API wraps different
mechanisms to obtain credentials using a chained
token credential mechanism. By doing so, the Azure
plugins are able to obtain a token using any of the
supported mechanisms: env vars, MSI, workload identity,
without needing separate config input for each.

Signed-off-by: Shashank Ram <shashr2204@gmail.com>
Signed-off-by: Faisal Memon <fymemon@yahoo.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MarcosDY MarcosDY MarcosDY approved these changes

@evan2645 evan2645 Awaiting requested review from evan2645 evan2645 is a code owner

@amartinezfayo amartinezfayo Awaiting requested review from amartinezfayo amartinezfayo is a code owner

@azdagron azdagron Awaiting requested review from azdagron azdagron is a code owner

@rturner3 rturner3 Awaiting requested review from rturner3 rturner3 is a code owner

Assignees

@MarcosDY MarcosDY

Labels
None yet
Projects
None yet
Milestone
1.8.5
Development

Successfully merging this pull request may close these issues.
3 participants
@shashankram @MarcosDY @amartinezfayo