Skip to content

Fix Azure login method and utilize DefaultAzureCredential #2461

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

Fix Azure login method and utilize DefaultAzureCredential #2461

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
a558cb9
Fix faulty condition makes bypasses msi login unreachable
starcraft66 Nov 29, 2024
433e221
Fix scope and remove unused options
starcraft66 Nov 29, 2024
2d51e9e
Re-introduce required fields and document change
starcraft66 Apr 28, 2025
a9c4e15
Add change to changelog
starcraft66 Apr 28, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
## Unreleased

BUGS:

* Fix Azure login method and utilize DefaultAzureCredential for authenticating with Azure.

## 4.8.0 (Apr 23, 2025)

FEATURES:
Expand Down
27 changes: 18 additions & 9 deletions internal/provider/auth_azure.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@ import (
"github.com/hashicorp/terraform-provider-vault/internal/consts"
)

const defaultAzureScope = "https://management.azure.com/"
const defaultAzureScope = "https://management.azure.com//.default"

func init() {
field := consts.FieldAuthLoginAzure
Expand Down Expand Up @@ -65,6 +65,7 @@ func GetAzureLoginSchemaResource(authField string) *schema.Resource {
Description: "The resource group for the machine that generated the MSI token. " +
"This information can be obtained through instance metadata.",
},

consts.FieldVMName: {
Type: schema.TypeString,
Optional: true,
Expand Down Expand Up @@ -159,7 +160,7 @@ func (l *AuthLoginAzure) Login(client *api.Client) (*api.Secret, error) {

if v, ok := l.params[consts.FieldVMName]; ok {
params[consts.FieldVMName] = v
} else if v, ok := l.params[consts.FieldVMName]; ok {
} else if v, ok := l.params[consts.FieldVMSSName]; ok {
params[consts.FieldVMSSName] = v
}

Expand All @@ -174,17 +175,24 @@ func (l *AuthLoginAzure) Login(client *api.Client) (*api.Secret, error) {
}

func (l *AuthLoginAzure) getJWT(ctx context.Context) (string, error) {
if v, ok := l.params[consts.FieldJWT]; ok {
return v.(string), nil
if jwt, ok := l.params[consts.FieldJWT].(string); ok && jwt != "" {
return jwt, nil
}

// attempt to get the token from Azure
credOpts := &azidentity.ManagedIdentityCredentialOptions{}
if v, ok := l.params[consts.FieldClientID]; ok {
credOpts.ID = azidentity.ClientID(v.(string))
// Initialize DefaultAzureCredential
// https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#DefaultAzureCredential
// DefaultAzureCredential attempts to authenticate with each of these credential types, in the following order, stopping when one provides a token:
// EnvironmentCredential
// WorkloadIdentityCredential, if environment variable configuration is set by the Azure workload identity webhook. Use WorkloadIdentityCredential directly when not using the webhook or needing more control over its configuration.
// ManagedIdentityCredential
// AzureCLICredential
// AzureDeveloperCLICredential
credOpts := azidentity.DefaultAzureCredentialOptions{}
if v, ok := l.params[consts.FieldTenantID]; ok {
credOpts.TenantID = v.(string)
}

creds, err := azidentity.NewManagedIdentityCredential(credOpts)
creds, err := azidentity.NewDefaultAzureCredential(nil)
if err != nil {
return "", err
}
Expand All @@ -197,6 +205,7 @@ func (l *AuthLoginAzure) getJWT(ctx context.Context) (string, error) {
tOpts := policy.TokenRequestOptions{
Scopes: scopes,
}

if v, ok := l.params[consts.FieldTenantID]; ok {
tOpts.TenantID = v.(string)
}
Expand Down
5 changes: 3 additions & 2 deletions website/docs/index.html.markdown
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -560,6 +560,7 @@ The `auth_login_azure` configuration block accepts the following arguments:
* `jwt` - (Optional) The signed JSON Web Token against which the login is being attempted.
If not provided a token will be created from Azure's managed identities for Azure resources API.
*Can be specified with the `TERRAFORM_VAULT_AZURE_AUTH_JWT` environment variable.*
If this value is not provided, a [`DefaultAzureCredential`](https://learn.microsoft.com/en-gb/azure/developer/go/sdk/authentication/credential-chains#defaultazurecredential-overview) will be used to perform authentication via numerous methods in order until one succeeds.

* `subscription_id` - (Required) The subscription ID for the machine that generated the MSI token.
This information can be obtained through instance metadata.
Expand All @@ -575,9 +576,9 @@ The `auth_login_azure` configuration block accepts the following arguments:

* `tenant_id` - (Optional) Provides the tenant ID to use in a multi-tenant authentication scenario.

* `client_id` - (Optional) The identity's client ID.
* `client_id` - (Optional) Provides the client ID of the identity to use when multiple identities are available.

* `scope` - (Optional) The scopes to include in the token request. Defaults to `https://management.azure.com/`
* `scope` - (Optional) The scopes to include in the token request. Defaults to `https://management.azure.com//.default`


### Token File
Expand Down
Loading