Closed cataggar closed 7 months ago
I tested the AppServiceManagedIdentityCredential
with this get_secret.Dockerfile
based on our example.
FROM mcr.microsoft.com/cbl-mariner/base/core:2.0
RUN tdnf install ca-certificates -y
ENV OPENSSL_DIR=/etc/pki/tls
COPY get_secret /get_secret
ENTRYPOINT ["/get_secret"]
This is using the get_secret
executable built with:
cargo build --example get_secret --release --target=x86_64-unknown-linux-gnu
Which produces:
target/x86_64-unknown-linux-gnu/release/examples/get_secret
I deployed it to an App Service with a system managed identity and it worked well.
Testing on a Azure Virtual Machine is complete. I created a VM, scp
d the same get_secret
binary and the VirtualMachineManagedIdentityCredential
worked with the system assigned identity. Some testing notes:
az vm create -g $vm_name -n $vm_name --image $image --admin-username $env.USER --ssh-key-values $'($env.HOME)/.ssh/id_rsa.pub'
I used the portal to add the identity, but it can be done via the CLI too: https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/qs-configure-cli-windows-vm
As we just discussed, I created #1581 as a placeholder for updating the README. This PR is ready to merge.
Opened a couple tracking issues for subsequent discussion / work, but nothing to hold up this PR.
Happy new year 2024!
This adds
azure_identity::new_credential()
,SpecificAzureCredential
,AppServiceManagedIdentityCredential
, andVirtualMachineManagedIdentityCredential
.azure_core::new_http_client()
,azure_identity::create_credential()
is a function that simplifies the most common use cases.SpecificAzureCredential
fixes https://github.com/Azure/azure-sdk-for-rust/issues/1503. It provides an easy and fast way to specify a specific credential type at runtime using anAZURE_CREDENTIAL_KIND
environment variable.AppServiceManagedIdentityCredential
andVirtualMachineManagedIdentityCredential
are split off of and make use ofImdsManagedIdentityCredential
. This fixes https://github.com/Azure/azure-sdk-for-rust/issues/1495.Most all of the credentials have something similar to
create(options: impl into<TokenCredentialOptions>) -> Result<Self>
now. This is similar to how C# hasTryCreate
shown in https://github.com/Azure/azure-sdk-for-rust/issues/1495. They are able to check environment variables or files to see if they can be created, something milliseconds fast. The main exception isVirtualMachineManagedIdentityCredential
, which does not have anything quick to check, so it is disabled by default. This is a breaking behavioral change that allows the default credentials to be faster by default. You can still opt in to using them by settingAZURE_CREDENTIAL_KIND
tovirtualmachine
. You can also include them using theDefaultAzureCredentialBuilder
.Manual functional tests of the
AppServiceManagedIdentityCredential
andVirtualMachineManagedIdentityCredential
was completed.