colek42
commented
2 years ago From the spire docs:
The SPIRE Agent azure_msi Node Attestor plugin retrieves an Azure VM’s MSI token, and identifies itself to the SPIRE Server azure_msi Node Attestor plugin.
The SPIRE Server azure_msi Node Attestor plugin retrieves the JSON Web Key Set (JWKS) document from Azure–via an API call and uses JWKS information to validate the MSI token.
The SPIRE Server azure_msi Node Resolver plugin interacts with Azure to obtain information about the agent VM–such as subscription ID, VM name, network security group, virtual network, and virtual network subnet–to build up a set of attributes about the agent VM that can then be used as node selectors for the Azure node set.
Once verification takes place, the SPIRE Agent is considered attested, and issued its own SPIFFE ID Finally, SPIRE issues SVIDs to workloads on the nodes if they match a registration entry. The registration entry may include selectors exposed by the Node Attestor or Resolver, or have the SPIFFE ID of the SPIRE Agent as a parent.
Migrated from gitlab -- original author @colek42
Needs information on what Azure provides for this