spin icon indicating copy to clipboard operation
spin copied to clipboard

Published 20 hours ago verified publisher icon fermyon

Add support for workload identity in the Azure CosmosDB Key/Value impl

Open devigned opened this issue 1 year ago • 6 comments

This PR adds the ability for the Azure CosmosDB KV store implementation to use ambient authentication (managed identity, workflow identity, azure cli). The PR should not break existing users of the key authentication mechanism; it should only be additive. For more information about the Azure Rust SDK identity flows, check out: https://github.com/Azure/azure-sdk-for-rust/blob/main/sdk/identity/README.md.

Here is the associated infrastructure and sample application to demo this identity flow: https://github.com/devigned/spin-workload-id.

I'm opening this now to start getting feedback. I (or the identity SDK) also likely have a bug related to the authentication scope being passed to Entra (previously Azure Active Directory). I will sort that issue out and notify via the PR.

This work is related to https://github.com/spinkube/spin-operator/issues/252.

devigned avatar Jun 15 '24 23:06 devigned

Also to note on this PR is that the changes will also allow users to run locally using the Azure CLI to authenticate to Azure CosmosDB. This could be a convenient way of testing / developing with Azure resources without needing to deploy to Azure.

devigned avatar Jun 16 '24 14:06 devigned

The issue linked (az/rust#1593) is what needs to be resolved & verified prior to completing this PR.

devigned avatar Jun 16 '24 14:06 devigned

Ok, with https://github.com/Azure/azure-sdk-for-rust/pull/1678 this works as expected. Currently, I am pointing at my fixed branch of the Azure SDK for Rust. Do we want to delay this getting merged until the Azure Rust SDK merges the fix?

devigned avatar Jun 17 '24 16:06 devigned

The fix to the Azure SDK for Rust has been merged and I've updated this PR to point at that the ref of that change in main. I believe this PR is ready for review.

devigned avatar Jun 18 '24 12:06 devigned

@devigned I think you have some clippies (and autoformats maybe?) that are unrelated to the changes. I believe these are already picked up in #2569 so you'll probably need to rebase.

itowlson avatar Jun 20 '24 22:06 itowlson

This is looking great, @devigned! Thanks for the contribution!

radu-matei avatar Jun 24 '24 08:06 radu-matei

@devigned What's the status of this? I believe we're keen for it if you still have bandwidth - is it just the review nits and the lints?

itowlson avatar Jul 19 '24 01:07 itowlson

Sorry, I got pulled away. I'll address the feedback and get it updated today. Thank you for your patience.

devigned avatar Jul 19 '24 15:07 devigned

@itowlson I believe this is ready for review. I'm going to start work on the Key Vault integration to do the same thing.

devigned avatar Jul 19 '24 20:07 devigned

@devigned You'll need to run make update-cargo-locks to get CI to pass. (This happens because new/changed dependencies in the trigger crate need to feed through into the lockfile for the custom trigger example.)

itowlson avatar Jul 21 '24 20:07 itowlson

Integration test failure seems unrelated (it's hitting one of my PRs too).

itowlson avatar Jul 22 '24 00:07 itowlson