search

open-policy-agent / opa

Open Policy Agent (OPA) is an open source, general-purpose policy engine.
https://www.openpolicyagent.org
Apache License 2.0
9.58k stars 1.33k forks source link

Support managed identity for Azure App Service/Azure Container Apps #7085

Open apc-kamezaki opened 2 days ago

apc-kamezaki commented 2 days ago

As you can see on the discussion https://github.com/orgs/open-policy-agent/discussions/592 , opa server cannot connect azure blob storage on Azure App Service using managed identity.

I'd like to add the feature for using managed identity for connectiong between Azure Container Apps and Azure blob storage.

What is the underlying problem you're trying to solve?

It seems that IMDS endpoint is not available on Azure App Service/Container Apps. It should use special endpoint for getting token instead. See :
https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#connect-to-azure-services-in-app-code https://learn.microsoft.com/en-us/azure/container-apps/managed-identity?tabs=bicep%2Chttp#connect-to-azure-services-in-app-code

Describe the ideal solution

IDENTITY_ENDPOINT and IDENTITY_HEADER envirnnment variables are defined on Azure App Service for getting the token. We can detect these variables and switch the endpoint and header value from IMDS.

Describe a "Good Enough" solution

I

Additional Context

ashutosh-narkar commented 2 days ago

Thanks for reporting this @apc-kamezaki. If you'd like to contribute a fix that would be great. Thanks!

apc-kamezaki commented 2 days ago

I've also posted PR #7086