Closed shahzzzam closed 5 years ago
I rethink about it and feel the key vault endpoint should be extracted from key vault url directly. Basically if the code request to access https://abc.vault.azure.net, it needs to request the access token targeting https://vault.azure.net. So there is a mapping between key vault url and the resource url passed to the token server.
ARM might have a special case in some environments but in general access token api follows the above pattern.
Purpose of the PR: Breaking change: Remove
az-cloud-name
and addvault-resource-endpoint
andarm-resource-endpoint
to be able to inject the environment endpoint manually.Fixes #
Tests# I followed the instructions on the doc below, https://github.com/Azure/acr-builder/blob/fa3a6488884006e4f654c7b5c5c8703e837391aa/docs/task-with-secrets.md
Created a keyvault in Prod, created a VM, created an Identity, and then ran
acb
inside this VM and passed--vault-resource-endpoint "https://vault.azure.net/"
toacb exec
and it worked.