iSharkFly-Docs
/
packer-cn
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

azure builder: allow to auth with managed identities ( MSI )

This commit is contained in:
Adrien Delorme 2018-11-09 17:39:03 +01:00
parent 68c6b086b4
commit 1ab0173e69
4 changed files with 39 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
builder/azure/arm/authenticate.go
View File

@ -31,6 +31,10 @@ func (a *Authenticate) getServicePrincipalTokenWithResource(resource string) (*a
return nil, err return nil, err
} }
if a.clientID == "" && a.clientSecret == "" {
return adal.NewServicePrincipalTokenFromMSI("http://169.254.169.254/metadata/identity/oauth2/token", resource)
}
spt, err := adal.NewServicePrincipalToken( spt, err := adal.NewServicePrincipalToken(
*oauthConfig, *oauthConfig,
a.clientID, a.clientID,

13
builder/azure/arm/config.go
View File

@ -514,16 +514,17 @@ func assertRequiredParametersSet(c *Config, errs *packer.MultiError) {
if isUseDeviceLogin(c) { if isUseDeviceLogin(c) {
c.useDeviceLogin = true c.useDeviceLogin = true
} else { } else {
if c.ClientID == "" { if (c.ClientID == "" && c.ClientSecret != "") || (c.ClientID != "" && c.ClientSecret == "") {
errs = packer.MultiErrorAppend(errs, fmt.Errorf("A client_id must be specified")) errs = packer.MultiErrorAppend(errs, fmt.Errorf("A client_id and client_secret must be specified together or not specified at all"))
} }
if c.ClientSecret == "" { if c.ClientID != "" && c.SubscriptionID == "" {
errs = packer.MultiErrorAppend(errs, fmt.Errorf("A client_secret must be specified")) errs = packer.MultiErrorAppend(errs, fmt.Errorf("A subscription_id must be specified when client_id & client_secret are"))
} }
if c.SubscriptionID == "" { if c.SubscriptionID != "" && c.ClientID == "" {
errs = packer.MultiErrorAppend(errs, fmt.Errorf("A subscription_id must be specified")) errs = packer.MultiErrorAppend(errs, fmt.Errorf("A subscription_id cannot be specified as it will be taken from MSI"+
" (client_id and client_secret are not set)"))
} }
} }

32
website/source/docs/builders/azure-setup.html.md
View File

@ -59,14 +59,30 @@ mode.
> Device login mode is for the Public and US Gov clouds only. > Device login mode is for the Public and US Gov clouds only.
The device login flow asks that you open a web browser, navigate to The device login flow asks that you open a web browser, navigate to
<http://aka.ms/devicelogin>, and input the supplied code. This authorizes the <a href="http://aka.ms/devicelogin" class="uri">http://aka.ms/devicelogin</a>,
Packer for Azure application to act on your behalf. An OAuth token will be and input the supplied code. This authorizes the Packer for Azure application
created, and stored in the user's home directory to act on your behalf. An OAuth token will be created, and stored in the user's
(~/.azure/packer/oauth-TenantID.json). This token is used if the token file home directory (\~/.azure/packer/oauth-TenantID.json). This token is used if
exists, and it is refreshed as necessary. The token file prevents the need to the token file exists, and it is refreshed as necessary. The token file
continually execute the device login flow. Packer will ask for two device login prevents the need to continually execute the device login flow. Packer will ask
auth, one for service management endpoint and another for accessing temp for two device login auth, one for service management endpoint and another for
keyvault secrets that it creates. accessing temp keyvault secrets that it creates.
## Managed identities for Azure resources
-&gt; Managed identities for Azure resources is the new name for the service
formerly known as Managed Service Identity (MSI).
Managed identities is an alternative way to authorize in Azure Packer. Managed
identities for Azure resources are automatically managed by Azure and enable
you to authenticate to services that support Azure AD authentication without
needing to insert credentials into your buildfile. Navigate to
<a href="https://docs.microsoft.com/en-gb/azure/active-directory/managed-identities-azure-resources/overview"
class="uri">managed identities azure resources overview</a> to learn more about
this feature.
This feature will be used when no `subscription_id`, `client_id` or
`client_secret` is set in your buildfile.
## Install the Azure CLI ## Install the Azure CLI

5
website/source/docs/builders/azure.html.md
View File

@ -35,7 +35,7 @@ addition to the options listed here, a
[communicator](/docs/templates/communicator.html) can be configured for this [communicator](/docs/templates/communicator.html) can be configured for this
builder. builder.
### Required: ### Required ( unless instance has [managed identities](/docs/builders/azure-setup.html#managed-identities-for-azure-resources) enabled):
- `client_id` (string) The Active Directory service principal associated with - `client_id` (string) The Active Directory service principal associated with
your builder. your builder.
@ -48,6 +48,8 @@ builder.
specified in which case it needs to have owner access to the existing specified in which case it needs to have owner access to the existing
resource group specified in build\_resource\_group\_name parameter.** resource group specified in build\_resource\_group\_name parameter.**
### Required:
- `image_publisher` (string) PublisherName for your base image. See - `image_publisher` (string) PublisherName for your base image. See
[documentation](https://azure.microsoft.com/en-us/documentation/articles/resource-groups-vm-searching/) [documentation](https://azure.microsoft.com/en-us/documentation/articles/resource-groups-vm-searching/)
for details. for details.
@ -250,6 +252,7 @@ Providing `temp_resource_group_name` or `location` in combination with
type* - the target must be a *Managed Image*. type* - the target must be a *Managed Image*.
<!-- --> <!-- -->
"shared_image_gallery": { "shared_image_gallery": {
"subscription": "00000000-0000-0000-0000-00000000000", "subscription": "00000000-0000-0000-0000-00000000000",
"resource_group": "ResourceGroup", "resource_group": "ResourceGroup",