azure builder: allow to auth with managed identities ( MSI )

This commit is contained in:
Adrien Delorme 2018-11-09 17:39:03 +01:00
parent 68c6b086b4
commit 1ab0173e69
4 changed files with 39 additions and 15 deletions

View File

@ -31,6 +31,10 @@ func (a *Authenticate) getServicePrincipalTokenWithResource(resource string) (*a
return nil, err
}
if a.clientID == "" && a.clientSecret == "" {
return adal.NewServicePrincipalTokenFromMSI("http://169.254.169.254/metadata/identity/oauth2/token", resource)
}
spt, err := adal.NewServicePrincipalToken(
*oauthConfig,
a.clientID,

View File

@ -514,16 +514,17 @@ func assertRequiredParametersSet(c *Config, errs *packer.MultiError) {
if isUseDeviceLogin(c) {
c.useDeviceLogin = true
} else {
if c.ClientID == "" {
errs = packer.MultiErrorAppend(errs, fmt.Errorf("A client_id must be specified"))
if (c.ClientID == "" && c.ClientSecret != "") || (c.ClientID != "" && c.ClientSecret == "") {
errs = packer.MultiErrorAppend(errs, fmt.Errorf("A client_id and client_secret must be specified together or not specified at all"))
}
if c.ClientSecret == "" {
errs = packer.MultiErrorAppend(errs, fmt.Errorf("A client_secret must be specified"))
if c.ClientID != "" && c.SubscriptionID == "" {
errs = packer.MultiErrorAppend(errs, fmt.Errorf("A subscription_id must be specified when client_id & client_secret are"))
}
if c.SubscriptionID == "" {
errs = packer.MultiErrorAppend(errs, fmt.Errorf("A subscription_id must be specified"))
if c.SubscriptionID != "" && c.ClientID == "" {
errs = packer.MultiErrorAppend(errs, fmt.Errorf("A subscription_id cannot be specified as it will be taken from MSI"+
" (client_id and client_secret are not set)"))
}
}

View File

@ -59,14 +59,30 @@ mode.
> Device login mode is for the Public and US Gov clouds only.
The device login flow asks that you open a web browser, navigate to
<http://aka.ms/devicelogin>, and input the supplied code. This authorizes the
Packer for Azure application to act on your behalf. An OAuth token will be
created, and stored in the user's home directory
(~/.azure/packer/oauth-TenantID.json). This token is used if the token file
exists, and it is refreshed as necessary. The token file prevents the need to
continually execute the device login flow. Packer will ask for two device login
auth, one for service management endpoint and another for accessing temp
keyvault secrets that it creates.
<a href="http://aka.ms/devicelogin" class="uri">http://aka.ms/devicelogin</a>,
and input the supplied code. This authorizes the Packer for Azure application
to act on your behalf. An OAuth token will be created, and stored in the user's
home directory (\~/.azure/packer/oauth-TenantID.json). This token is used if
the token file exists, and it is refreshed as necessary. The token file
prevents the need to continually execute the device login flow. Packer will ask
for two device login auth, one for service management endpoint and another for
accessing temp keyvault secrets that it creates.
## Managed identities for Azure resources
-&gt; Managed identities for Azure resources is the new name for the service
formerly known as Managed Service Identity (MSI).
Managed identities is an alternative way to authorize in Azure Packer. Managed
identities for Azure resources are automatically managed by Azure and enable
you to authenticate to services that support Azure AD authentication without
needing to insert credentials into your buildfile. Navigate to
<a href="https://docs.microsoft.com/en-gb/azure/active-directory/managed-identities-azure-resources/overview"
class="uri">managed identities azure resources overview</a> to learn more about
this feature.
This feature will be used when no `subscription_id`, `client_id` or
`client_secret` is set in your buildfile.
## Install the Azure CLI

View File

@ -35,7 +35,7 @@ addition to the options listed here, a
[communicator](/docs/templates/communicator.html) can be configured for this
builder.
### Required:
### Required ( unless instance has [managed identities](/docs/builders/azure-setup.html#managed-identities-for-azure-resources) enabled):
- `client_id` (string) The Active Directory service principal associated with
your builder.
@ -48,6 +48,8 @@ builder.
specified in which case it needs to have owner access to the existing
resource group specified in build\_resource\_group\_name parameter.**
### Required:
- `image_publisher` (string) PublisherName for your base image. See
[documentation](https://azure.microsoft.com/en-us/documentation/articles/resource-groups-vm-searching/)
for details.
@ -250,6 +252,7 @@ Providing `temp_resource_group_name` or `location` in combination with
type* - the target must be a *Managed Image*.
<!-- -->
"shared_image_gallery": {
"subscription": "00000000-0000-0000-0000-00000000000",
"resource_group": "ResourceGroup",