Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Identity] Support exchanging k8s token to AAD token #16688

Merged
29 commits merged into from
Sep 8, 2021
Merged

[Identity] Support exchanging k8s token to AAD token #16688

29 commits merged into from
Sep 8, 2021

Conversation

sadasant
Copy link
Contributor

This is a simplified version of what @chlowell did on this PR: Azure/azure-sdk-for-python#19902

This is based on what I understood. I’ll make sure to circle back with Charles before I get this PR out of draft.

Fixes #15800

@sadasant sadasant requested a review from chlowell July 31, 2021 00:04
@sadasant sadasant self-assigned this Jul 31, 2021
@ghost ghost added the Azure.Identity label Jul 31, 2021
@sadasant sadasant requested a review from schaabs September 1, 2021 00:59
@sadasant
Copy link
Contributor Author

sadasant commented Sep 1, 2021

Hello, @chlowell , @schaabs help me review this. We can get on a call. I took a different approach than Python, but the effect should be the same.

@sadasant sadasant marked this pull request as ready for review September 1, 2021 01:20
@sadasant
Copy link
Contributor Author

sadasant commented Sep 1, 2021

I took this out of draft before fixing conflicts. One moment.

@sadasant sadasant requested a review from chlowell September 2, 2021 00:44
sadasant
sadasant commented Sep 2, 2021
View reviewed changes
sdk/identity/identity/CHANGELOG.md
@@ -4,6 +4,8 @@

### Features Added

- `ManagedIdentityCredential` now supports token exchange authentication.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is intentionally vague.

@sadasant
Copy link
Contributor Author

sadasant commented Sep 2, 2021

@chlowell ok now I’ve tested this in the real test environment, and this works 😃

@sadasant
Copy link
Contributor Author

sadasant commented Sep 2, 2021

I’m investigating the CI issue.

@sadasant
Copy link
Contributor Author

sadasant commented Sep 3, 2021

I don’t quite get what’s going on on CI. Tomorrow is a new day!

sadasant
sadasant commented Sep 3, 2021
View reviewed changes
sdk/identity/identity/src/credentials/chainedTokenCredential.ts
const err = new AggregateAuthenticationError(
errors,
"ChainedTokenCredential authentication failed."
);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Without this, this error had an initial segment with an undefined string. This PR adds a test to ensure this is never silently broken in the future.

sadasant
sadasant commented Sep 4, 2021
View reviewed changes
sdk/identity/identity/src/client/errors.ts
@@ -164,7 +164,7 @@ export class AggregateAuthenticationError extends Error {

constructor(errors: any[], errorMessage?: string) {
const errorDetail = errors.join("\n");
super(`${errorMessage}\n\n${errorDetail}`);
super(`${errorMessage}\n${errorDetail}`);
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This meant a whole empty line, which I didn’t like now that I re-reviewed these errors.

sadasant
sadasant commented Sep 4, 2021
View reviewed changes
sdk/identity/identity/src/credentials/managedIdentityCredential/index.ts
@@ -214,7 +223,7 @@ export class ManagedIdentityCredential implements TokenCredential {
// and it means that the endpoint is working, but that no identity is available.
if (err.statusCode === 400) {
throw new CredentialUnavailableError(
"The managed identity endpoint is indicating there's no available identity"
`ManagedIdentityCredential: The managed identity endpoint is indicating there's no available identity. Message: ${err.message}`
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was the root of the CI issue: The changes in this PR made it so now this credential only failed due to the IMDS MSI on CI. Since CI is in Azure, the IMDS endpoint is reachable, so the execution reaches this statement, and this statement didn’t match the format we had for all of the other errors in this credential.

@sadasant
Copy link
Contributor Author

sadasant commented Sep 4, 2021

Oh, the taste of a green CI build 😌💚

@sadasant sadasant requested a review from chlowell September 7, 2021 18:58
@sadasant
specifying that most MSIs are not available for getToken requests wit…
3091b74 
…h multiple resources, and an internal cleanup was in order (including slightly better logs and errors
chlowell
chlowell reviewed Sep 8, 2021
View reviewed changes
sdk/identity/identity/test/internal/node/managedIdentityCredential.spec.ts Outdated

const authDetails = await sendCredentialRequests({
scopes: ["https://service/.default"],
credential: new ManagedIdentityCredential("client"),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do you have a test for the parameter overriding AZURE_CLIENT_ID?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I’m adding one! Thanks!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added one!

chlowell
chlowell approved these changes Sep 8, 2021
View reviewed changes
Copy link
Member

@chlowell chlowell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Token exchange logic looks good to me 👍

@ghost
Copy link

ghost commented Sep 8, 2021

Hello @sadasant!

Because this pull request has the auto-merge label, I will be glad to assist with helping to merge this pull request once all check-in policies pass.

p.s. you can customize the way I help with merging this pull request, such as holding this pull request until a specific person approves. Simply @mention me (@msftbot) and give me an instruction to get started! Learn more here.

@ghost ghost merged commit 6ccd67c into Azure:main Sep 8, 2021
@sadasant sadasant deleted the identity/fix15800 branch September 8, 2021 17:27
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chlowell chlowell chlowell approved these changes

@schaabs schaabs Awaiting requested review from schaabs schaabs is a code owner

@witemple-msft witemple-msft Awaiting requested review from witemple-msft

Assignees

@sadasant sadasant

Labels
Azure.Identity
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support exchanging k8s token to AAD token
2 participants
@sadasant @chlowell