Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Azure storage backend with OAuth token #7322

Closed
mbrancato opened this issue Aug 15, 2019 · 1 comment · Fixed by #10189
Closed

Support Azure storage backend with OAuth token #7322

mbrancato opened this issue Aug 15, 2019 · 1 comment · Fixed by #10189
Labels
ecosystem enhancement storage/azure

Comments

@mbrancato
Copy link
Contributor

Feature Request:

Currently the Azure storage backend requires a storage account Key. To bring this in-line with other backends like Google and remove secrets from the Vault config HCL, I’d like Vault to support Azure storage requests authenticated using OAuth Bearer tokens. There is probably good reason to initially only support Managed service identities to again avoid secrets in the HCL.

Vault Config File:

Proposed config may simply omit the accoutKey field.

storage “azure” {
  accountName = “storageaccountname”
  container   = “vault”
}

Expected Behavior:

Vault would be able to obtain an OAuth Bearer token and issue storage API calls directly without an account key.

Actual Behavior:

Currently the account key is required and the MSI is not used.

References:

https://docs.microsoft.com/en-us/rest/api/storageservices/authorize-with-azure-active-directory
@mbrancato
Copy link
Contributor Author

It looks like this is dependent on an enhancement to the Azure Go SDK.

Azure/azure-sdk-for-go#5226

@elsesiy elsesiy mentioned this issue Aug 5, 2020
Closed
@sfc-gh-jelsesiy sfc-gh-jelsesiy mentioned this issue Oct 20, 2020
Merged
sfc-gh-jelsesiy added a commit to sfc-gh-jelsesiy/vault that referenced this issue Oct 28, 2020
@sfc-gh-jelsesiy
Add support for Managed Identity auth for physical/Azure
a66e4c3 
Obtain OAuth token from IMDS to allow for access to Azure Blob with
short-lived dynamic credentials

Fix hashicorp#7322
calvn pushed a commit that referenced this issue Oct 28, 2020
@sfc-gh-jelsesiy
Add support for Managed Identity auth for physical/Azure (#10189)
652fae3 
* Add support for Managed Identity auth for physical/Azure

Obtain OAuth token from IMDS to allow for access to Azure Blob with
short-lived dynamic credentials

Fix #7322

* add tests & update docs/dependencies
calvn pushed a commit that referenced this issue Oct 28, 2020
@sfc-gh-jelsesiy @calvn
Add support for Managed Identity auth for physical/Azure (#10189)
0c9e517 
* Add support for Managed Identity auth for physical/Azure

Obtain OAuth token from IMDS to allow for access to Azure Blob with
short-lived dynamic credentials

Fix #7322

* add tests & update docs/dependencies
calvn added a commit that referenced this issue Oct 29, 2020
@calvn @sfc-gh-jelsesiy
Backport 1.6.0: Add support for Managed Identity auth for physical/Az…
738cbda 
…ure (#10189) (#10260)

* Add support for Managed Identity auth for physical/Azure (#10189)

* Add support for Managed Identity auth for physical/Azure

Obtain OAuth token from IMDS to allow for access to Azure Blob with
short-lived dynamic credentials

Fix #7322

* add tests & update docs/dependencies

* mod: fix go.mod and go.sum conflicts

* mod: update [email protected] (#10261)

Co-authored-by: Jonas-Taha El Sesiy <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ecosystem enhancement storage/azure
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add support for Managed Identity auth for physical/Azure sfc-gh-jelsesiy/vault
3 participants
@chrishoffman @michelvocks @mbrancato