Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Added option for disabling MSI autodiscover feature in azure_keyvault_secret lookup plugin #1353

Merged
merged 3 commits into from
Dec 6, 2023
Merged

Added option for disabling MSI autodiscover feature in azure_keyvault_secret lookup plugin #1353

Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
04245d4
Added option for disabling MSI autodiscover feature
nalle Dec 1, 2023
54577ef
sorting out some linting things and removed msrest module requirement…
nalle Dec 4, 2023
18b2008
added missing period in documentation
nalle Dec 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 25 additions & 17 deletions plugins/lookup/azure_keyvault_secret.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@
description: Secret of the service principal.
tenant_id:
description: Tenant id of service principal.
use_msi:
description: MSI token autodiscover, default is true.
notes:
- If version is not provided, this plugin will return the latest version of the secret.
- If ansible is running on Azure Virtual Machine with MSI enabled, client_id, secret and tenant isn't required.
Expand Down Expand Up @@ -74,7 +76,8 @@
vault_url=url,
client_id=client_id,
secret=secret,
tenant_id=tenant
tenant_id=tenant,
use_msi=false
)
}}"

Expand Down Expand Up @@ -139,22 +142,6 @@
'Metadata': 'true'
}

token = None

try:
token_res = requests.get('http://169.254.169.254/metadata/identity/oauth2/token', params=token_params, headers=token_headers, timeout=(3.05, 27))
if token_res.ok:
token = token_res.json().get("access_token")
if token is not None:
TOKEN_ACQUIRED = True
else:
display.v('Successfully called MSI endpoint, but no token was available. Will use service principal if provided.')
else:
display.v("Unable to query MSI endpoint, Error Code %s. Will use service principal if provided" % token_res.status_code)
except Exception:
display.v('Unable to fetch MSI token. Will use service principal if provided.')
TOKEN_ACQUIRED = False


def lookup_secret_non_msi(terms, vault_url, kwargs):

Expand Down Expand Up @@ -187,6 +174,27 @@ class LookupModule(LookupBase):
def run(self, terms, variables, **kwargs):
ret = []
vault_url = kwargs.pop('vault_url', None)
use_msi = kwargs.pop('use_msi', True)
TOKEN_ACQUIRED = False
token = None

if use_msi:
try:
token_res = requests.get('http://169.254.169.254/metadata/identity/oauth2/token',
params=token_params,
headers=token_headers,
timeout=(3.05, 27))
if token_res.ok:
token = token_res.json().get("access_token")
if token is not None:
TOKEN_ACQUIRED = True
else:
display.v('Successfully called MSI endpoint, but no token was available. Will use service principal if provided.')
else:
display.v("Unable to query MSI endpoint, Error Code %s. Will use service principal if provided" % token_res.status_code)
except Exception:
display.v('Unable to fetch MSI token. Will use service principal if provided.')

if vault_url is None:
raise AnsibleError('Failed to get valid vault url.')
if TOKEN_ACQUIRED:
Expand Down