Add ManagedIdentity with AZURE_CLIENT_ID

This ensures the Managed Identity authentication works with multiple identities assigned to a single node. Signed-off-by: Hidde Beydals <hello@hidde.co>
fluxcd · Mar 8, 2022 · eca70e4 · eca70e4
1 parent cfa4c81
commit eca70e4
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/pkg/azure/blob.go b/pkg/azure/blob.go
@@ -353,6 +353,8 @@ func sharedCredentialFromSecret(endpoint string, secret *corev1.Secret) (*azblob
 // azidentity.ChainedTokenCredential if at least one of the following tokens was
 // successfully created:
 // - azidentity.EnvironmentCredential
+// - azidentity.ManagedIdentityCredential with Client ID from AZURE_CLIENT_ID
+//   environment variable, if found.
 // - azidentity.ManagedIdentityCredential
 // If a Secret with an `authorityHost` is provided, this is set on the
 // azidentity.EnvironmentCredentialOptions. It may return nil.
@@ -369,6 +371,13 @@ func chainCredentialWithSecret(secret *corev1.Secret) (azcore.TokenCredential, e
 	if token, _ := azidentity.NewEnvironmentCredential(credOpts); token != nil {
 		creds = append(creds, token)
 	}
+	if clientID := os.Getenv("AZURE_CLIENT_ID"); clientID != "" {
+		if token, _ := azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
+			ID: azidentity.ClientID(clientID),
+		}); token != nil {
+			creds = append(creds, token)
+		}
+	}
 	if token, _ := azidentity.NewManagedIdentityCredential(nil); token != nil {
 		creds = append(creds, token)
 	}