search

Azure / api-management-self-hosted-gateway

Home of Azure API Management's Self-Hosted Gateway
https://docs.microsoft.com/en-gb/azure/api-management/self-hosted-gateway-overview
Other
65 stars 25 forks source link

Gateway Auth Type: Federated #293

Open justinmchase opened 1 month ago

justinmchase commented 1 month ago

Proposal

Your gateway.auth.type only supports two kinds of auth, the second of which requires a secret.

Our app has a Managed Identity which is federated with the kubernetes service account through oidc, so there is no application client id or secret.

I can't seem to find the actual source code that builds the docker image for the gateway but I'm assuming it is using the Azure SDK somewhere to load these app credentials and then make calls to the gateway.

If thats the case then this proposal is to simply add a 3rd kind of auth called azureadfederated and then in that case simply utilizie the "default credentials" for the sdk which will work automatically in case of running as a pod with a federated service account.

Use-Case

Some users do not use App Registrations for such things and prefer not to use secrets, which require a lot of automation for proper rotation and can be leaked.

For users using federated managed identities in AKS it would be possible to work, secretless.

Anything else?

No response

justinmchase commented 1 month ago

This may be very similar or the same as #267

tomkerkhove commented 1 month ago

It's the same ask indeed, @ferantoMSFT is our PM who can help track this request