azure builder: allow to auth with managed identities ( MSI )
This commit is contained in:
parent
68c6b086b4
commit
1ab0173e69
|
@ -31,6 +31,10 @@ func (a *Authenticate) getServicePrincipalTokenWithResource(resource string) (*a
|
|||
return nil, err
|
||||
}
|
||||
|
||||
if a.clientID == "" && a.clientSecret == "" {
|
||||
return adal.NewServicePrincipalTokenFromMSI("http://169.254.169.254/metadata/identity/oauth2/token", resource)
|
||||
}
|
||||
|
||||
spt, err := adal.NewServicePrincipalToken(
|
||||
*oauthConfig,
|
||||
a.clientID,
|
||||
|
|
|
@ -514,16 +514,17 @@ func assertRequiredParametersSet(c *Config, errs *packer.MultiError) {
|
|||
if isUseDeviceLogin(c) {
|
||||
c.useDeviceLogin = true
|
||||
} else {
|
||||
if c.ClientID == "" {
|
||||
errs = packer.MultiErrorAppend(errs, fmt.Errorf("A client_id must be specified"))
|
||||
if (c.ClientID == "" && c.ClientSecret != "") || (c.ClientID != "" && c.ClientSecret == "") {
|
||||
errs = packer.MultiErrorAppend(errs, fmt.Errorf("A client_id and client_secret must be specified together or not specified at all"))
|
||||
}
|
||||
|
||||
if c.ClientSecret == "" {
|
||||
errs = packer.MultiErrorAppend(errs, fmt.Errorf("A client_secret must be specified"))
|
||||
if c.ClientID != "" && c.SubscriptionID == "" {
|
||||
errs = packer.MultiErrorAppend(errs, fmt.Errorf("A subscription_id must be specified when client_id & client_secret are"))
|
||||
}
|
||||
|
||||
if c.SubscriptionID == "" {
|
||||
errs = packer.MultiErrorAppend(errs, fmt.Errorf("A subscription_id must be specified"))
|
||||
if c.SubscriptionID != "" && c.ClientID == "" {
|
||||
errs = packer.MultiErrorAppend(errs, fmt.Errorf("A subscription_id cannot be specified as it will be taken from MSI"+
|
||||
" (client_id and client_secret are not set)"))
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -59,14 +59,30 @@ mode.
|
|||
> Device login mode is for the Public and US Gov clouds only.
|
||||
|
||||
The device login flow asks that you open a web browser, navigate to
|
||||
<http://aka.ms/devicelogin>, and input the supplied code. This authorizes the
|
||||
Packer for Azure application to act on your behalf. An OAuth token will be
|
||||
created, and stored in the user's home directory
|
||||
(~/.azure/packer/oauth-TenantID.json). This token is used if the token file
|
||||
exists, and it is refreshed as necessary. The token file prevents the need to
|
||||
continually execute the device login flow. Packer will ask for two device login
|
||||
auth, one for service management endpoint and another for accessing temp
|
||||
keyvault secrets that it creates.
|
||||
<a href="http://aka.ms/devicelogin" class="uri">http://aka.ms/devicelogin</a>,
|
||||
and input the supplied code. This authorizes the Packer for Azure application
|
||||
to act on your behalf. An OAuth token will be created, and stored in the user's
|
||||
home directory (\~/.azure/packer/oauth-TenantID.json). This token is used if
|
||||
the token file exists, and it is refreshed as necessary. The token file
|
||||
prevents the need to continually execute the device login flow. Packer will ask
|
||||
for two device login auth, one for service management endpoint and another for
|
||||
accessing temp keyvault secrets that it creates.
|
||||
|
||||
## Managed identities for Azure resources
|
||||
|
||||
-> Managed identities for Azure resources is the new name for the service
|
||||
formerly known as Managed Service Identity (MSI).
|
||||
|
||||
Managed identities is an alternative way to authorize in Azure Packer. Managed
|
||||
identities for Azure resources are automatically managed by Azure and enable
|
||||
you to authenticate to services that support Azure AD authentication without
|
||||
needing to insert credentials into your buildfile. Navigate to
|
||||
<a href="https://docs.microsoft.com/en-gb/azure/active-directory/managed-identities-azure-resources/overview"
|
||||
class="uri">managed identities azure resources overview</a> to learn more about
|
||||
this feature.
|
||||
|
||||
This feature will be used when no `subscription_id`, `client_id` or
|
||||
`client_secret` is set in your buildfile.
|
||||
|
||||
## Install the Azure CLI
|
||||
|
||||
|
|
|
@ -35,7 +35,7 @@ addition to the options listed here, a
|
|||
[communicator](/docs/templates/communicator.html) can be configured for this
|
||||
builder.
|
||||
|
||||
### Required:
|
||||
### Required ( unless instance has [managed identities](/docs/builders/azure-setup.html#managed-identities-for-azure-resources) enabled):
|
||||
|
||||
- `client_id` (string) The Active Directory service principal associated with
|
||||
your builder.
|
||||
|
@ -48,6 +48,8 @@ builder.
|
|||
specified in which case it needs to have owner access to the existing
|
||||
resource group specified in build\_resource\_group\_name parameter.**
|
||||
|
||||
### Required:
|
||||
|
||||
- `image_publisher` (string) PublisherName for your base image. See
|
||||
[documentation](https://azure.microsoft.com/en-us/documentation/articles/resource-groups-vm-searching/)
|
||||
for details.
|
||||
|
@ -250,6 +252,7 @@ Providing `temp_resource_group_name` or `location` in combination with
|
|||
type* - the target must be a *Managed Image*.
|
||||
|
||||
<!-- -->
|
||||
|
||||
"shared_image_gallery": {
|
||||
"subscription": "00000000-0000-0000-0000-00000000000",
|
||||
"resource_group": "ResourceGroup",
|
||||
|
|
Loading…
Reference in New Issue