search

dapr / components-contrib

Community driven, reusable components for distributed apps
Apache License 2.0
549 stars 481 forks source link

Adds EntraID auth support to all Redis Components #3470

Closed berndverst closed 5 months ago

berndverst commented 5 months ago

Description

Implements EntraID / AAD support for Azure Cache for Redis across all components

For a component yaml file to use Azure Cache for Redis with Entra ID see this:

This will assume that either your UserPrincipal (via AzureCLICredential) or the SystemAssigned Managed Identity have the RedisDataOwner role permission. If a user-assigned identity is to be used the azureClientID property needs to be specified.

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: statestore
spec:
  type: state.redis
  initTimeout: 30s
  metadata:
    - name: redisHost
      value: MYHOSTNAME.redis.cache.windows.net:6380
    - name: useEntraID
      value: "true"
    - name: enableTLS
      value: "true"

Issue reference

Adds #3088

Checklist

Please make sure you've completed the relevant tasks for this PR, out of the following list:

Testing

Manually modified certification and conformance tests to run again Azure Cache for Redis using modified component configurations to exercise the new auth mechanism.

berndverst commented 5 months ago

I will cherry pick this into Release 1.14 once merged.

berndverst commented 5 months ago

The feature will work like this for all Redis components:

apiVersion: dapr.io/v1alpha1
kind: Component
metadata:
  name: statestore
spec:
  type: state.redis
  initTimeout: 30s
  metadata:
    - name: redisHost
      value: MYHOSTNAME.redis.cache.windows.net:6380
    - name: useEntraID
      value: "true"
    - name: enableTLS
      value: "true"

(change the component type of course)

TLS must be enabled, and the useEntraID property must be set. Beyond that you only need to specify the hostname with port (6380 seems to be the Azure Redis default).

This will automatically support all forms of EntraID (AAD) authentication, including Workload Identity, Managed Identities and also Azure CLI Credential (User principal). For more details on all those see: https://docs.dapr.io/developing-applications/integrations/azure/azure-authentication/authenticating-azure/

Of course don't forget to enable Entra ID authentication on your Azure Redis server itself! And enabling it takes a few minutes to propagate as well.

berndverst commented 5 months ago

In my own testing I just assigned myself (my user) the Azure Redis Data Owner role, then refreshed my CLI Credential. Then I used the above component yaml locally (with my server name). Everything worked perfectly fine.