Allow Azure server node attestor and Key Vault plugins to fetch credentials using Workload Identity #4485
Comments
shashankram
changed the title
|
Was there a decision made on how to enable this? |
|
Thanks so much for the ping, @shashankram. That's an interesting feature. We'll huddle today and hopefully have a decision made in the next day or so on what shape of config we'd like to use. Appreciate your patience! |
|
Ok, @shashankram, I think we've arrived at consensus :) Right now, the plugin enforces that either you 1) use msi, or 2) provide static credentials, and fails to configure if you don't indicate either. The behavior we think makes the most sense is that, instead of failing if neither is configured, we change the plugin to use In summary:
How does that feel to you? |
I think that's fine as an immediate solution, though we may need to revisit this for multi-tenant Az credentials via Workload Identity: AdditionallyAllowedTenants config. |
|
We'll almost certainly want to support that in the future, though it will probably require some changes the the shape of our config? Are you able to help with a proposal on what that might look like? In the meantime, this seems to take a step in the right direction without shaking too many things up ... happy to assign this issue to you if you're ok taking it |
evan2645
added
help wanted
That sounds good. We can start with a zero config solution for single tenants, and figure out the config structure for multi-tenant credential access. Feel free to assign this one to me, thanks. |
evan2645
removed
the
help wanted
|
@azdagron @evan2645 I explored implementing a fallback to using the SDK default creds if client creds or use_msi=false, and it seems a specific behavior that is noted as needing to be deprecated, breaks. Currently, this change breaks the test spire/pkg/server/plugin/nodeattestor/azuremsi/msi.go Lines 297 to 300 in cb6ce22 So with default creds, attestation will not succeed unless the resolution of selectors is successful. Are we okay with this behavior? |
|
I see ... thank you very much for raising this. If nothing is set and we use Since we need to do a deprecation now, I think we may have to assign this work to the 1.9.0 release. In which case, it may make sense for us to explore the larger changes around supporting multi-tenant auth I've gone through a few possibilities in my head around how to do this while maintaining compat for a patch release, and am having a hard time. Given the current behavior, empty config seems equivalent to local validation w/o API checks. We can detect if we found a credential at configure time, but we probably won't know if it works until we try to use it? |
|
We could verify whether the default credentials work by calling |
Unfortunately this didn't work. We have 2 options:
|
|
In light of the blocker/delay for the easy path, I think option 2 is probably best at this point .. then we can figure out after that how to right-size the config as a whole. What config inputs are needed to support multi-tenant auth? |
|
I don't believe we would need additional config. Like MSI, we would create a client per tenant, and use that when the |
|
Ah I see ... for some reason I was under the impression that we would need more than just a flag to enable it. Apologies That seems super reasonable to me. Might also be a good idea to go ahead and start logging deprecation warnings for the case in which no config is set... default config should be the more secure thing, not the less secure. Then once those changes are in, we can decide the future of use_msi |
|
Using default cred will also imply the current behavior that has already been marked for deprecation will break as described in #4485 (comment). I agree using default cred makes sense, we won't need separate flags for MSI vs workload identity, both will be tried implicitly. |
Uses the NewDefaultAzureCredential API to fetch client credentials. This API wraps different mechanisms to obtain credentials using a chained token credential mechanism. By doing so, the Azure plugins are able to obtain a token using any of the supported mechanisms: env vars, MSI, workload identity, without needing separate config input for each. This is a part of spiffe#4485 to enable obtaining API tokens using Azure workload identity. Signed-off-by: Shashank Ram <shashank.ram@solo.io>
|
Draft PR for the changes #4568 |
Uses the NewDefaultAzureCredential API to fetch client credentials. This API wraps different mechanisms to obtain credentials using a chained token credential mechanism. By doing so, the Azure plugins are able to obtain a token using any of the supported mechanisms: env vars, MSI, workload identity, without needing separate config input for each. This is a part of spiffe#4485 to enable obtaining API tokens using Azure workload identity. Signed-off-by: Shashank Ram <shashank.ram@solo.io>
Uses the NewDefaultAzureCredential API to fetch client credentials. This API wraps different mechanisms to obtain credentials using a chained token credential mechanism. By doing so, the Azure plugins are able to obtain a token using any of the supported mechanisms: env vars, MSI, workload identity, without needing separate config input for each. This is a part of spiffe#4485 to enable obtaining API tokens using Azure workload identity. Signed-off-by: Shashank Ram <shashr2204@gmail.com>
Uses the NewDefaultAzureCredential API to fetch client credentials. This API wraps different mechanisms to obtain credentials using a chained token credential mechanism. By doing so, the Azure plugins are able to obtain a token using any of the supported mechanisms: env vars, MSI, workload identity, without needing separate config input for each. This is a part of spiffe#4485 to enable obtaining API tokens using Azure workload identity. Signed-off-by: Shashank Ram <shashr2204@gmail.com>
|
Resolved by #4568 |
It's possible that SPIRE running in AKS needs to attest workloads in Azure. To fetch credentials to authenticate with the Azure API, two types of mechanisms are currently supported in SPIRE:
When the server is running in k8s, workload identity provides an elegant way to fetch API credentials. At a high level, this would allow the server to fetch API credentials using its k8s service account token, which would map to an identity in Azure to which IAM roles can be assigned.
It would make sense to extend the Azure server plugins to support this.
The core API to fetch a credential using workload identity is
azidentity.NewWorkloadIdentityCredential, as documented.Some options on enabling this:
use_msiplugin flag such that if a credential can be authenticated usingazidentity.NewManagedIdentityCredentialorazidentity.NewWorkloadIdentityCredential, then we use that credential. The API sequentially tries to authenticate using the given credentials until one succeeds.azidentity.NewDefaultAzureCredentialwhich tries to fetch the credentials using all possible ways: Environment variables, workload identity, MSI, CLI credentials, in that order. This could be undesirable if we want to be strict on not allowing env vars.use_msi, add ause_workload_identityconfig flag to the plugins and conditionally fetch the credential usingazidentity.NewWorkloadIdentityCredential.I am happy to help with this if it sounds reasonable.
The text was updated successfully, but these errors were encountered: