search

TraGicCode / tragiccode-azure_key_vault

Pull secrets from Azure's key vault with this puppet module.
Apache License 2.0
6 stars 16 forks source link

Add the feature for using multiple Managed Service Identities #62

Closed ikukulevskyi closed 2 years ago

ikukulevskyi commented 4 years ago

Hi,

For Puppet Server is needed to assign multiple Managed Service Identities, it is needed when using different Azure Vnets and needed to create separate Managed Service Identity for each of Vnets from the security perspective.

Example of URL request: http://169.254.169.254/metadata/identity/oauth2/token?api-version=2019-08-15&resource=https%3A%2F%2Fvault.azure.net&object_id=a5d01234-c512-4bab-95d0-f5a481234567

Could you add the parametr to the Puppet module for using multiple Managed Service Identities?

Example of the hiera.yaml file:

Thanks

TraGicCode commented 4 years ago

Hello,

Do you have a link to this in the azure documentation? Also is this a feature you are able to work on?

ikukulevskyi commented 4 years ago

Hello,

Sure I used this MS documentation:

https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token

Thanks.

swheettaos commented 3 years ago

TraGicCode, Is there any way you can update this to allow using the user identity rather than the system identity. The syntax is pretty much the same except there is an optional objectID or clientID of the identity you want to use when making the request (if not specified it tries to use the system assigned identity.

in this section https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http you can see the two optional parameters if objectID and clientID.

I'm not a ruby programmer but I think if you modified this bit of code

def self.get_access_token(api_version) uri = URI("http://169.254.169.254/metadata/identity/oauth2/token?api-version=#api_version}&resource=https%3A%2F%2Fvault.azure.net") req = Net::HTTP::Get.new(uri.request_uri) req['Metadata'] = 'true' res = Net::HTTP.start(uri.hostname, uri.port) do |http| http.request(req) end raise res.body unless res.is_a?(Net::HTTPSuccess) JSON.parse(res.body)['access_token'] end

in tragiccode-azure_key_vault/lib/puppet_x/tragiccode/azure.rb to also pass a client_ID or object_ID in the same call (if specified) it would work the same way. It still passes back a token that you can parse from the response.

I would do it but I'm not a Ruby guy at all.

TraGicCode commented 3 years ago

Hey @swheettaos ,

It looks like someone just opened a PR to introduce this feature here #79 . It would be great if you could provide some feedback on the PR.

swheettaos commented 3 years ago

I added comments to you in the PR.. but this is good to go and tested. I work with Victor and asked him to update the module with this feature. I then asked him to submit as a PR back to you so future versions will have it.