Allow authentication via managed service identity

[hbuckle]

Adds a provider option to allow authentication using managed service identity
e.g.

provider "azurerm" {
  subscription_id = "xxx"
  tenant_id       = "xxx"
  use_msi         = true
}

[paultyng]

@hbuckle Code wise this looks good to me. I have no experience with MSI though. We have some additional authentication changes coming targeted at 1.0.3 so grouping this up with those (see the other issues under the authentication label).

[paultyng]

It looks like this has a minor merge conflict, could maybe use a rebase.

[VaijanathB]

@hbuckle ,

Am I understanding correctly that this only supports MSI with ServicePrincipal and does not do it with azure cli ? Also I pulled your branch and tried to verify using the construct specified

provider "azurerm" {
subscription_id = "xxx"
tenant_id = "xxx"
use_msi = true
}
and was not able to authenticate. Can you please elaborate how to do it ?

Thanks,
VJ

[hbuckle]

@VaijanathB MSI works by creating a service principal to act on behalf of an Azure resource (such as a VM). For it to work you need to be running Terraform from a VM in Azure that has MSI configured - see authenticating_via_msi.html.markdown for details

[metacpp]

Shall we use the same if-else logic as in the azurerm/config.go ?

[hbuckle]

Do you mean from getAuthorizationToken ? I think the logic is slightly different in each

[metacpp]

Yes, I mean why we don't check if ClientSecret exists firstly.

[VaijanathB]

Can you put a Linux example ? This example creates WindowsServer and the documentation above says about Linux.

[hbuckle]

As noted, for Linux it would be exactly the same except you use ManagedIdentityExtensionForLinux instead of ManagedIdentityExtensionForWindows extension

[metacpp]

Can we change the default environment variable to "AZURE_MSI_ENDPOINT", coz this endpoint is not just for getting tokens for ARM, but also for graph/datalake/keyvault.

[tombuildsstuff]

(same here) - given the prefix for the other Environment Variables is ARM - we'd be best to leave this as ARM_MSI_ENDPOINT rather than making this AZURE_MSI_ENDPOINT - in future we can migrate across to use AZURE as a prefix if needed)

[tombuildsstuff]

should this be defaulted to http://localhost:50342/oauth2/token?

[metacpp]

Agree.

[hbuckle]

@tombuildsstuff by leaving it blank then the endpoint should be auto-discovered using GetMSIVMEndpoint(). I only put the option there in case the endpoint can't be discovered (such as when running in a container)

[metacpp]

Change to "USE_MSI".

[tombuildsstuff]

given all the other Environment Variables are prefixed with ARM - we should leave this as ARM_USE_MSI for consistency (we may change this for AZURE_USE_MSI in future, but it should be consistent for now)

[metacpp]

Agree.

[tombuildsstuff]

hey @hbuckle

Thanks for this PR - apologies for the delayed review here!

I've taken a look through and left some comments in-line but this mostly looks good to me - if we can fix those minor issues this should be good to merge, as such I'll go ahead and test this PR in the meantime :)

Thanks!

[tombuildsstuff]

should this be defaulted to http://localhost:50342/oauth2/token?

[tombuildsstuff]

I'd suggest we change this to:

Managed Service Identity can be used to access other Azure Services from within a Virtual Machine in Azure instead of specifying a Service Principal or Azure CLI credentials.

[tombuildsstuff]

I believe this field is optional - so we should be able to not specify it and it'll be populated automatically?

[tombuildsstuff]

can we make this "ManagedIdentityExtensionForLinux extension"

[tombuildsstuff]

can we quote use_msi and true here?

[metacpp]

@hbuckle any update ?

[tombuildsstuff]

Results of testing this so far:

• ❌ issues in CloudShell
• ✅ MSI on a Windows VM
• ✅ MSI on a Linux VM

Once I've confirmed this works on Linux
I'm looking into why this fails in CloudShell (since MSI is now available there too)

[tombuildsstuff]

hey @hbuckle

Just to give an update here - I've been working through testing this, and this looks good on the VM's (both Linux and Windows), however there's an issue when running in CloudShell (where MSI's recently been enabled). In CloudShell the API doesn't return the same schema as the API available when running in a VM (an integer value is returned, rather than a string) for the expiresOn field, which means deserialization fails.

Since MSI is enabled by default in CloudShell - I've reached out to Microsoft to see how if they can patch the API to return the correct data type - if that's not going to be possible for a while the other option would be to error when running in CloudShell with MSI enabled, until we've confirmed the API's been patched (which would allow us to ship this for use in VM's).

Apologies for the delay, but bear with us here - I'm hoping we'll have an answer about this later this week :)

Thanks!

[tombuildsstuff]

hey @hbuckle

Apologies for the delay getting this merged - we've been working with Microsoft to fix the broken MSI API. That's now been deployed - and I can confirm this looks good in our testing.

Thanks for pushing those updates to this PR - this now LGTM 👍

Thanks!

[tombuildsstuff]

👋 hey @hbuckle

Just to let you know that support for MSI has just been released in v1.2.0 of the AzureRM Provider - full details of what's included are available here: https://github.com/terraform-providers/terraform-provider-azurerm/blob/v1.2.0/CHANGELOG.md#120-march-02-2018

Thanks!

[ghost]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.

If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks!