Crypto: support User Assigned Managed Identity for Azure Key Vault (#…

…3390)
nuts-foundation · Sep 20, 2024 · 77f03d7 · 77f03d7
1 parent ff093dd
commit 77f03d7
Show file tree

Hide file tree

Showing 3 changed files with 32 additions and 3 deletions.
diff --git a/crypto/storage/azure/keyvault.go b/crypto/storage/azure/keyvault.go
@@ -26,6 +26,7 @@ import (
 	"fmt"
 	"io"
 	"net/http"
+	"os"
 	"time"
 
 	"github.com/Azure/azure-sdk-for-go/sdk/azcore"
@@ -69,7 +70,16 @@ func createCredential(credentialType string) (azcore.TokenCredential, error) {
 	case DefaultChainCredentialType:
 		return azidentity.NewDefaultAzureCredential(nil)
 	case ManagedIdentityCredentialType:
-		return azidentity.NewManagedIdentityCredential(nil)
+		opts := &azidentity.ManagedIdentityCredentialOptions{
+			ClientOptions: azcore.ClientOptions{},
+		}
+		// For UserAssignedManagedIdentity, client ID needs to be explicitly set.
+		// Taken from github.com/!azure/azure-sdk-for-go/sdk/[email protected]/default_azure_credential.go:100
+		if ID, ok := os.LookupEnv("AZURE_CLIENT_ID"); ok {
+			log.Logger().Debug("Azure: configuring UserAssignedManagedIdentity (using AZURE_CLIENT_ID) for Azure Key Vault client.")
+			opts.ID = azidentity.ClientID(ID)
+		}
+		return azidentity.NewManagedIdentityCredential(opts)
 	default:
 		return nil, fmt.Errorf("unsupported Azure Key Vault credential type: %s", credentialType)
 	}

diff --git a/crypto/storage/azure/keyvault_test.go b/crypto/storage/azure/keyvault_test.go
@@ -27,6 +27,7 @@ import (
 	"encoding/base64"
 	"encoding/json"
 	"errors"
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
 	"net/http"
 	"os"
 	"testing"
@@ -334,3 +335,16 @@ func TestIntegrationTest(t *testing.T) {
 		})
 	})
 }
+
+func Test_createCredential(t *testing.T) {
+	t.Run("Managed Identity", func(t *testing.T) {
+		cred, err := createCredential(ManagedIdentityCredentialType)
+		require.NoError(t, err)
+		require.IsType(t, &azidentity.ManagedIdentityCredential{}, cred)
+	})
+	t.Run("Default Credential", func(t *testing.T) {
+		cred, err := createCredential(DefaultChainCredentialType)
+		require.NoError(t, err)
+		require.IsType(t, &azidentity.DefaultAzureCredential{}, cred)
+	})
+}
diff --git a/docs/pages/deployment/storage.rst b/docs/pages/deployment/storage.rst
@@ -57,13 +57,18 @@ If you want to use filesystem in strict mode, you have to set it explicitly, oth
 Microsoft Azure Key Vault
 =========================
 
-This storage backend uses Microsoft Azure's Key Vault. It authenticates to the Azure Key Vault at the configured URL using the default credential,
-typically an Azure Managed Identity. Refer to the `Azure SDK for Go documentation <https://github.com/Azure/azure-sdk-for-go/wiki/Set-up-Your-Environment-for-Authentication>`_ for more information.
+This storage backend uses Microsoft Azure's Key Vault. The following rules apply:
 
 - To store private keys in an Azure Key Vault HSM, set ``crypto.azurekv.hsm`` to ``true``.
 - Keys created through this storage backend are marked as non-exportable.
 - Azure Key Vault storage can't be used for encrypting ``did:nuts`` private credentials or for data encryption.
 
+The following credential options are available for authentication:
+- ``managed_identity``: authenticate using ManagedIdentity credential (recommended, because default credential often times out when deployed in Azure).
+- ``default``: authenticate using the DefaultChain credential.
+At least the ``AZURE_TENANT_ID`` and ``AZURE_CLIENT_ID`` (for user assigned identities) need to be set in the environment.
+Refer to the `Azure SDK for Go documentation <https://github.com/Azure/azure-sdk-for-go/wiki/Set-up-Your-Environment-for-Authentication>`_ for more information.
+
 HashiCorp Vault
 ===============