WIP Azure Auth Against Multiple Identities #14136
Conversation
| @@ -73,7 +72,7 @@ func NewAzureAuthMethod(conf *auth.AuthConfig) (auth.AuthMethod, error) { | |||
| return a, nil | |||
| } | |||
|
|
|||
| func (a *azureMethod) Authenticate(ctx context.Context, client *api.Client) (retPath string, header http.Header, retData map[string]interface{}, retErr error) { | |||
| func (a *azureMethod) Authenticate(ctx context.Context) (retPath string, header http.Header, retData map[string]interface{}, retErr error) { | |||
There was a problem hiding this comment.
I think this needs the client parameter to satisfy the AuthMethod interface, which is returned from NewAzureAuthMethod() above.
But since it's not used in this function, maybe just use a blank identifier?
| func (a *azureMethod) Authenticate(ctx context.Context) (retPath string, header http.Header, retData map[string]interface{}, retErr error) { | |
| func (a *azureMethod) Authenticate(ctx context.Context, _ *api.Client) (retPath string, header http.Header, retData map[string]interface{}, retErr error) { |
| @@ -176,3 +175,33 @@ func getMetadataInfo(ctx context.Context, endpoint, resource string) ([]byte, er | |||
|
|
|||
| return body, nil | |||
| } | |||
|
|
|||
| func verifyIdentity(ctx context.Context) (retPath string, header http.Header, retData map[string]interface{}, retErr error) { | |||
There was a problem hiding this comment.
This function doesn't seem to be called anywhere, where should this be called? Does the return values need to be named here?
| return | ||
| } | ||
|
|
||
| err = jsonutil.DecodeJSON(body, &instance) |
There was a problem hiding this comment.
It looks like we decode the JSON body into instance, but the object is scoped to this function, should that be returned instead? I also see that retData remains empty and not assigned, should this be set somewhere?
|
If I'm reading https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http right, it looks like we need to set the (Since that would make the args list a bit long, we may want to pass resource, client_id, and object_id to |
|
+1 on @tvoran suggestion. We only need to do this for the |
|
This was completed in PR #14214 |
In this PR I added a small helper function that will instead only attempt login with a given client and object ID.
We initially make a call to IDMS to get the access token
curl -H Metadata:true "http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com/&client_id=<UAMI CLIENT ID>"We can then use only the ClientID and ObjectID to specify a particular identity.
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview