Add support for Managed Identity auth for physical/Azure #10189
Conversation
|
|
|
@calvn Please have a look. I'm hoping we can get this into the |
sfc-gh-jelsesiy
force-pushed
the
feat/managed-identity
branch
4 times, most recently
from
c0057ac to
e59d71b
Compare
|
@calvn Did you have a chance to triage this? Thank you! |
sfc-gh-jelsesiy
force-pushed
the
feat/managed-identity
branch
from
e59d71b to
39f39d2
Compare
|
@sfc-gh-jelsesiy sorry, I missed the ping from your earlier messages! I'll be taking a look at this. |
Sure I can add that, what are you thinking specifically? Running these tests without mocking would require you run it on a host that has the IMDS available and a valid identity attached to it. This seems tricky for most CI systems which is why I haven't included any |
sfc-gh-jelsesiy
force-pushed
the
feat/managed-identity
branch
2 times, most recently
from
98e3735 to
21edd51
Compare
|
Definitely agree on the trickiness bit! We'd want to verify at some capacity that this works as intended, even if things are set up manually at this point, so that's what we might end up doing. |
Okay let me see what I can come up with. I also noticed that the current tests are duplicating logic that is actually part of |
Obtain OAuth token from IMDS to allow for access to Azure Blob with short-lived dynamic credentials Fix hashicorp#7322
sfc-gh-jelsesiy
force-pushed
the
feat/managed-identity
branch
from
21edd51 to
d1828fc
Compare
|
@calvn I added a separate commit for the tests, let me know what you think. I documented what's needed to successfully run the tests using managed identities and did that myself, see: |
sfc-gh-jelsesiy
force-pushed
the
feat/managed-identity
branch
from
597d6ee to
9f3a0c8
Compare
sfc-gh-jelsesiy
force-pushed
the
feat/managed-identity
branch
from
9f3a0c8 to
d5f49d8
Compare
|
Perfect, thanks for sharing the test result as well! Do the new test changes remove the ability to test the physical backend locally? Ideally we would want to be able to do both. That is, if ran on an Azure VM it will use IMDS, and if ran locally all the creds need to be provided as they were before in order be able to use Azure storage for local testing. |
The way it's implemented is that if |
|
Why are the env vars |
The way the tests have been set up before wasn't correct. The credential creation has been duplicated in the tests instead of relying on the logic in |
|
Ah, gotcha! |
|
@calvn Please let me know if you have any code comments so I can address them today as I got the time allocated from my company for it :) |
There was a problem hiding this comment.
Looks good, thanks for the contribution!
Ran the test locally and they passed as well:
=== RUN TestAzureBackend
azure_test.go:63: using account key provided to authenticate against storage account
--- PASS: TestAzureBackend (3.07s)
=== RUN TestAzureBackend_ListPaging
azure_test.go:73: using account key provided to authenticate against storage account
--- PASS: TestAzureBackend_ListPaging (256.73s)
PASS
|
Great!! Should I be worried about the test failures (PR checks) or is that not blocking the merge? |
|
Doesn't look like it's related to your changes, but can you merge/rebase |
I'm up to date to |
* Add support for Managed Identity auth for physical/Azure Obtain OAuth token from IMDS to allow for access to Azure Blob with short-lived dynamic credentials Fix #7322 * add tests & update docs/dependencies
…ure (#10189) (#10260) * Add support for Managed Identity auth for physical/Azure (#10189) * Add support for Managed Identity auth for physical/Azure Obtain OAuth token from IMDS to allow for access to Azure Blob with short-lived dynamic credentials Fix #7322 * add tests & update docs/dependencies * mod: fix go.mod and go.sum conflicts * mod: update [email protected] (#10261) Co-authored-by: Jonas-Taha El Sesiy <[email protected]>
Obtain OAuth token from IMDS to allow for access to Azure Blob with
short-lived dynamic credentials
Fix #7322