azcli auth doesn't support MSAL scopes #189
Comments
|
Related question - @manicminer , does contributing to this repo require a CLA? |
thomas11
added a commit
to pulumi/pulumi-azure-native
that referenced
this issue
Mar 28, 2023
## About This PR contains two related pieces: 1. Switch the provider from the deprecated ADAL authentication method to the current MSAL method. Due to an issue in our dependencies, one of the authentication paths, the `az` cli, doesn't work properly with MSAL. We detect the unsupported cli case dynamically and fall back to ADAL in that case. 2. Enable OIDC for authentication. The actual OIDC implementation is in our dependencies but enabling it was gated behind MSAL. This PR exposes the relevant configuration settings and adds a dedicated test. ### What's MSAL? The provider currently uses an authentication method called ADAL that’s out of support in Azure. ADAL, also called auth v1, is [replaced by MSAL](https://learn.microsoft.com/en-us/azure/active-directory/develop/msal-migration) (auth v2). OIDC only works on MSAL. These protocols are implemented in our dependencies _go-azure-helpers_ and _hamilton_ so we don't need to care about the details, except for two things that surface in our code: - MSAL has a new concept of _scopes_ for more targeted authentication scopes. You can't just get a token for everything in an Azure account or subscription, you can only get one for ResourceManager, or KeyVault, etc. Since Pulumi deals with infrastructure, we can get away with ResourceManager for most operations, but we do have some [custom resources](https://github.com/pulumi/pulumi-azure-native/pull/2320/files#diff-bd590eb4f290efeb8760fc0743f5af2db35ceb776e7ef64a1cb641303e878426) that touch the data plane and need a different scope. - The dependencies [don't implement MSAL correctly when the `az` cli is used](manicminer/hamilton#189) for authentication. This PR falls back to ADAL when that case is detected. ### What's OIDC? It stands for **OpenID Connect** and is an authentication protocol on top of OAuth. The idea is to allow trusted parties to verify a user's identity. For a practical example, let's look at how I set up OIDC authentication between Github Actions and Azure, which is used by the e2e test of this PR. We tell Azure that GitHub can be trusted: 1. On an Azure Active Directory (AD) App, add a new credential with issuer GitHub. 2. In GitHub, configure the Action with the id of the AD App. Now, when the action runs, GitHub can use the Azure AD endpoint to exchange the GitHub token for an Azure token. Note that there is no secret involved anywhere that would need to be safely stored, rotated, etc. This is one of the biggest advantages of OIDC. Details for the interested [here (GH)](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/configuring-openid-connect-in-cloud-providers) and [here (Azure)](https://learn.microsoft.com/en-us/azure/active-directory/workload-identities/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-azp#configure-a-federated-identity-credential-on-an-app), but not required reading for reviewing this PR. ## Testing I picked an existing e2e test, `keyvault`. In general, any e2e test will do since we only want to see that authentication works. However, `keyvault` has more authentication test coverage than the other tests because it also creates a key vault secret, which is a data plane operation that requires a different token. We run this test now twice, authenticating once via client secret and once via OIDC. ## Next steps To fully release OIDC support we need to document it in our user-facing documentation. I should also document the particular OIDC integration used in testing in our wiki (AD principal, roles, permissions etc.).
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Currently, in
AzureCliAuthorizer.Token(), the arguments toazare hard-coded asThis is correct for ADAL and also works for MSAL as long as you need the default scope of Resource Manager. However, for a different scope like KeyVault, the arguments should instead be
Note the MSAL-style (OAuth v2)
scope.I tested the above change and it unblocked a small program that changes Key Vault secrets. I don't have a full PR just yet because I wasn't sure how you wanted to treat MSAL vs ADAL here.
The text was updated successfully, but these errors were encountered: