Open apc-kamezaki opened 2 days ago
As you can see on the discussion https://github.com/orgs/open-policy-agent/discussions/592 , opa server cannot connect azure blob storage on Azure App Service using managed identity.
I'd like to add the feature for using managed identity for connectiong between Azure Container Apps and Azure blob storage.
It seems that IMDS endpoint is not available on Azure App Service/Container Apps. It should use special endpoint for getting token instead. See : https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#connect-to-azure-services-in-app-code https://learn.microsoft.com/en-us/azure/container-apps/managed-identity?tabs=bicep%2Chttp#connect-to-azure-services-in-app-code
IDENTITY_ENDPOINT and IDENTITY_HEADER envirnnment variables are defined on Azure App Service for getting the token. We can detect these variables and switch the endpoint and header value from IMDS.
I
Thanks for reporting this @apc-kamezaki. If you'd like to contribute a fix that would be great. Thanks!
I've also posted PR #7086
As you can see on the discussion https://github.com/orgs/open-policy-agent/discussions/592 , opa server cannot connect azure blob storage on Azure App Service using managed identity.
I'd like to add the feature for using managed identity for connectiong between Azure Container Apps and Azure blob storage.
What is the underlying problem you're trying to solve?
It seems that IMDS endpoint is not available on Azure App Service/Container Apps. It should use special endpoint for getting token instead. See :
https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#connect-to-azure-services-in-app-code https://learn.microsoft.com/en-us/azure/container-apps/managed-identity?tabs=bicep%2Chttp#connect-to-azure-services-in-app-code
Describe the ideal solution
IDENTITY_ENDPOINT and IDENTITY_HEADER envirnnment variables are defined on Azure App Service for getting the token. We can detect these variables and switch the endpoint and header value from IMDS.
Describe a "Good Enough" solution
I
Additional Context