Ability to fetch bundles from Azure storage account using managed identities #3916
Comments
|
@anderseknert any thoughts on this? I'm guessing the changes to implement this would be fairly similar to what we do for AWS and GCP. Could we mark this as good first issue? |
|
Thanks for the ping! Not sure how I missed this. This certainly looks doable. I’ll look into it today! |
|
Yep, this looks like a good first issue. Following the instructions here should be pretty straightforward. Only caveat would be to ensure no proxy is used for the connection, as that would potentially leak the access token. |
|
I'd like to take this on. I have some knowledge of OPA as a developer but this would be my first time contributing, so bear with me 🙏 From an initial glance, it appears we would be implementing an I've just gotten started, but wanted to check in to make sure this is indeed the right direction. Also, I'm not sure if adding what's essentially another copy of the GCP plugin would be appropriate here (lots of code duplication), or if we'd want to refactor now. Seems that these are treated as independent almost external plugins so perhaps it's ok to leave as is. Thanks. |
|
Hi @Scowluga! And thanks for helping out! 👍 Yes, both the AWS and GCP metadata auth plug-ins would be a good place to start from. I wouldn't worry too much about code duplication since as you say, they are treated as separate plugins. One thing to note about plugins like this is that we don't really have automated tests that actually interact with the external environment, like Azure in this case. In addition to unit tests, it would therefore be good if you could at least add some instructions to you PR later on how someone else could go about testing this in an Azure environment. Doesn't have to be super detailed, just things like "spin up a new Ubuntu instance, push a bundle to the azure blob storage with authentication required, start OPA with this configuration to authenticate against the blob storage" or something like that. I'd be happy to help with testing later. Some general tips for contributing is found in the main page README. Also, feel free to ping me in the OPA Slack if you have questions along the way. |
|
I've opened an initial draft PR at #3952 so let's move subsequent discussion there. |
Expected Behavior
OPA can fetch bundles from Azure Storage Account using
service principal. This works very well. However, I want to deploy OPA container as a sidecar in AKS cluster where the pod is assigned a managed identity. The storage account allows read access to this managed identity. I could not find any way to use managed identity to fetch the bundle. So I usedservices[].<service-name>.credential.bearer.token_path. A process runs in the background that fetches the bearer token using the following curl command and persists it to a file that is specified inservices[].<service-name>.credential.bearer.token_path:The problem with this approach is that I cannot use opa container. I have to write my own container that runs the script in background to periodically update the access token.
Actual Behavior
I think it would be nice if there is a config option
services[].<service-name>.credentials.bearer.azure.use_system_assigned_identity = true. OPA on seeing this will fetch the access token and use it forBearerauthentication.Steps to Reproduce the Problem
Additional Info
169.254.169.254 is the IP address for Azure Instance Metadata Service.
https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=windows
The curl command above is from the page:
https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-curl
The text was updated successfully, but these errors were encountered: