Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support using ARM_OIDC_TOKEN_FILE_PATH to Configure OIDC #3373

Closed
yuft opened this issue Jun 21, 2024 · 2 comments · Fixed by #3382
Closed

Support using ARM_OIDC_TOKEN_FILE_PATH to Configure OIDC #3373

yuft opened this issue Jun 21, 2024 · 2 comments · Fixed by #3382
Assignees
@thomas11
Labels
kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed

Comments

@yuft
Copy link

yuft commented Jun 21, 2024

What happened?

I followed the configuration guide(https://www.pulumi.com/registry/packages/azure-native/installation-configuration/#configuration-options) to set up CI runners in AKS cluster.

Azure workload identity injects an environment variable named AZURE_FEDERATED_TOKEN_FILE and its value is the file path mounted to Pod(/var/run/secrets/azure/tokens/azure-identity-token).

This means I cannot set up the Pulumi Azure native provider to auth with Azure using the required ARM_OIDC_REQUEST_TOKEN directly.

It is a common pattern to support ARM_OIDC_TOKEN_FILE_PATH. I also find that ARM_OIDC_REQUEST_TOKEN exists in the source code.

pulumi-azure-native/provider/pkg/provider/auth.go

Line 112 in d1a2366

IDTokenFilePath: k.getConfig("oidcTokenFilePath", "ARM_OIDC_TOKEN_FILE_PATH"),

Example

If I set up the provider like below

            export ARM_CLIENT_ID=$AZURE_CLIENT_ID
            export ARM_TENANT_ID=$AZURE_TENANT_ID
            export ARM_OIDC_TOKEN_FILE_PATH=$AZURE_FEDERATED_TOKEN_FILE
            export ARM_OIDC_REQUEST_URL=$AZURE_AUTHORITY_HOST

the error is OIDC authentication was requested via useOidc/ARM_USE_OIDC but no token and/or request URL were configured. See https://www.pulumi.com/registry/packages/azure-native/installation-configuration/#credentials for more information.

the workaround is to retrieve the token from file system.

            export ARM_CLIENT_ID=$AZURE_CLIENT_ID
            export ARM_TENANT_ID=$AZURE_TENANT_ID
            export ARM_OIDC_TOKEN=$(cat /var/run/secrets/azure/tokens/azure-identity-token)
            export ARM_OIDC_REQUEST_URL=$AZURE_AUTHORITY_HOST

Output of pulumi about

CLI
Version 3.117.0
Go Version go1.22.3
Go Compiler gc

Host
OS darwin
Version 14.4.1
Arch arm64

Additional context

I feel there could be some code missing, but I haven't invested more time.

Terraform Azure provider supports oidc_token_file_path, so the issue might also apply to Pulumi Azure classic provider.

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/guides/service_principal_oidc

Contributing

Vote on this issue by adding a 👍 reaction.
To contribute a fix for this issue, leave a comment (and link to your pull request, if you've opened one already).
@yuft yuft added kind/bug Some behavior is incorrect or out of spec needs-triage Needs attention from the triage team labels Jun 21, 2024
@aureq
Copy link
Member

aureq commented Jun 21, 2024

Thank you @yuft for reporting 🧡

This issue seems similar to pulumi/pulumi-azuread#594

@yuft yuft changed the title Support using ARM_OIDC_TOKEN_FILE_PATH to Configuring OIDC Support using ARM_OIDC_TOKEN_FILE_PATH to Configure OIDC Jun 21, 2024
@thomas11 thomas11 mentioned this issue Jun 24, 2024
Merged
@pulumi-bot pulumi-bot added the resolution/fixed This issue was fixed label Jun 24, 2024
@thomas11 thomas11 removed the needs-triage Needs attention from the triage team label Jun 24, 2024
@thomas11
Copy link
Contributor

This is now released in v2.47.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thomas11 thomas11

Labels
kind/bug Some behavior is incorrect or out of spec resolution/fixed This issue was fixed
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support OIDC file token authentication pulumi/pulumi-azure-native
4 participants
@thomas11 @aureq @yuft @pulumi-bot