agent/azure: adds ability to use specific user-assigned managed identities for auto auth

[austingebauer]

Overview

This PR adds the ability to specify the object_id xor client_id when configuring Vault agent auto-auth for Azure. This enables users that have more than one user-assigned managed identity associated with their VM to specify which one they'd like to use when authenticating via Vault's Azure auth method.

Note that providing these parameters is an "exclusive or". During my testing, I saw that providing both resulted in an error:

curl -s -H Metadata:true 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.azure.com/&client_id=redacted&object_id=redacted' | jq
{
  "error": "invalid_request",
  "error_description": "Only one of 'client_id', 'object_id', 'principal_id', or 'mi_res_id' may be provided"
}

Testing

I tested that using these parameters to request an access token works when more than one user-assigned managed identity is associated with a VM.

Tested auto-auth using both client_id and object_id for different user-assigned managed identities:

auto_auth {
  method "azure" {
    config = {
      role = "dev-role"
      resource = "https://management.azure.com/"
      client_id = "<client_id>"
      # object_id = "<object_id>"
    }
  }

  sink "file" {
    config = {
      path = "${WORKDIR}/tokens/vault.token"
    }
  }
}

[tomhjp]

LGTM

[calvn]

Left one optional comment yesterday, but otherwise the PR looks good!