search

go-acme / lego

Let's Encrypt/ACME client and library written in Go
https://go-acme.github.io/lego/
MIT License
7.92k stars 1.01k forks source link

Azure DNS OIDC support #2027

Closed stmcx closed 11 months ago

stmcx commented 1 year ago

Welcome

How do you use lego?

Through Terraform ACME provider

Detailed Description

The Terraform ACME provider with "azuredns" config has failed to authenticate via OIDC token provided by Terraform Dynamic Credentials.

Not sure if it a misconfig on my side. I was only passing AZURE_RESOURCE_GROUP and got 401. I attempted to pass the vars by hand but didn't work and still getting 401. 

ARM_SUBSCRIPTION_ID  = data.azurerm_subscription.current.subscription_id
ARM_TENANT_ID        = data.azurerm_subscription.current.tenant_id
ARM_OIDC_TOKEN       = data.environment_variables.all.items["ARM_OIDC_TOKEN"]
ARM_CLIENT_ID        = data.environment_variables.all.items["ARM_CLIENT_ID"]
ARM_USE_OIDC         = "true"
AZURE_RESOURCE_GROUP = var.certificate_dns_challenge_azure_resource_group_name

I don't see any mention of generic OIDC being supported in the docs https://go-acme.github.io/lego/dns/azuredns/ for things like Terraform Cloud or GitHub Actions for example.

Would love to see this supported to avoid static secrets, thank you.

ldez commented 1 year ago

Hello,

I think it's better to open an issue inside the repo https://github.com/vancluever/terraform-provider-acme

ldez commented 1 year ago

@pchanvallon do you have an idea?

pchanvallon commented 1 year ago

Hello, at the moment this authentication method is not embedded in the DefaultAzureCredential which is the function used inside azuredns provider. For that we need to implement the logic to retrieve OIDC token like the one used inside azrerm terraform provider. @ldez I can add it in a new PR

stmcx commented 1 year ago

Testing on local machine bypassing Terraform ACME provider

Ensure cli is logged out

az logout

Export environment variables (Values taken from Terraform Cloud agent runner)

export AZURE_SUBSCRIPTION_ID=******-****-****-****-********
export AZURE_RESOURCE_GROUP=*********
export AZURE_TENANT_ID=******-****-****-****-********
export AZURE_CLIENT_ID=******-****-****-****-********
export AZURE_USE_OIDC=true
export AZURE_OIDC_TOKEN="**************************"

Also exported last two envs as ARM_OIDC_TOKEN & ARM_USE_OIDC since this is the syntax they are actually exported by Terraform Cloud.

lego --domains example.****.com --email someone@example.com --dns azuredns run
2023/10/05 13:18:38 [INFO] [example.****.com] acme: Obtaining bundled SAN certificate
2023/10/05 13:18:39 [INFO] [example.****.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/*******
2023/10/05 13:18:39 [INFO] [example.****.com] acme: Could not find solver for: tls-alpn-01
2023/10/05 13:18:39 [INFO] [example.****.com] acme: Could not find solver for: http-01
2023/10/05 13:18:39 [INFO] [example.****.com] acme: use dns-01 solver
2023/10/05 13:18:39 [INFO] [example.****.com] acme: Preparing to solve DNS-01
2023/10/05 13:18:44 [INFO] [example.****.com] acme: Cleaning DNS-01 challenge
2023/10/05 13:18:47 [WARN] [example.****.com] acme: cleaning up failed: azuredns: DefaultAzureCredential: failed to acquire a token.
Attempted credentials:
    EnvironmentCredential: incomplete environment variable configuration. Only AZURE_TENANT_ID and AZURE_CLIENT_ID are set
    WorkloadIdentityCredential: no token file specified. Check pod configuration or set TokenFilePath in the options
    ManagedIdentityCredential: managed identity timed out
    AzureCLICredential: ERROR: Please run 'az login' to setup account.

What seems to work is putting the AZURE_OIDC_TOKEN value in a file and then exporting AZURE_FEDERATED_TOKEN_FILE=token.txt.

I will see if I can do this in Terraform but would prefer if it works out of the box.

2023/10/05 13:41:10 [INFO] [example.****.com] acme: Obtaining bundled SAN certificate
2023/10/05 13:41:11 [INFO] [example.****.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/********
2023/10/05 13:41:11 [INFO] [example.****.com] acme: Could not find solver for: tls-alpn-01
2023/10/05 13:41:11 [INFO] [example.****.com] acme: Could not find solver for: http-01
2023/10/05 13:41:11 [INFO] [example.****.com] acme: use dns-01 solver
2023/10/05 13:41:11 [INFO] [example.****.com] acme: Preparing to solve DNS-01
2023/10/05 13:41:15 [INFO] [example.****.com] acme: Trying to solve DNS-01
2023/10/05 13:41:15 [INFO] [example.****.com] acme: Checking DNS record propagation using [*****]
2023/10/05 13:41:17 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2023/10/05 13:41:24 [INFO] [example.****.com] The server validated our request
2023/10/05 13:41:24 [INFO] [example.****.com] acme: Cleaning DNS-01 challenge
2023/10/05 13:41:26 [INFO] [example.****.com] acme: Validations succeeded; requesting certificates
2023/10/05 13:41:27 [INFO] [example.****.com] Server responded with a certificate.

Thanks!

pchanvallon commented 1 year ago

Yes this case is working because it is the mechanism used by Workload Identity Authentication as described in this doc. But we still need to handle the other cases.