azure-sdk-for-ruby icon indicating copy to clipboard operation
azure-sdk-for-ruby copied to clipboard

Published 20 hours ago verified publisher icon Azure

Support for Service Principal Certificate authentication

Open dsboulder opened this issue 6 years ago • 2 comments

Hi folks! We're trying to use ADFS authentication with this SDK, and I noticed that the ms-rest-azure component only seems to support authentication with client secrets, and not with certificates. I tried authing by passing the cert value (both private key and cert concatenated, which is what the CLI gives you when you run az ad sp --create-cert) in as the :client_secret, but it didn't work. Is this on the roadmap? Or is there something I'm missing?

dsboulder avatar Sep 18 '18 22:09 dsboulder

I also need the same functionality.

Are there plans to support it?

josh-barker avatar Jan 30 '19 23:01 josh-barker

For anyone else wondering how to do this, you can achieve this scenario by using the Active Directory Authentication Library (ADAL) for Ruby, getting a token using a certificate and then passing that token into the Azure KeyVault client. Here is a sample I got working.

Note I am using the ADAL fork from xamarin, as it fixes an issue that I was facing in the main library: https://github.com/xamarin/azure-activedirectory-library-for-ruby

Gemfile

source 'https://rubygems.org'

gem 'azure_key_vault', '0.17.3'
gem 'adal', github: 'xamarin/azure-activedirectory-library-for-ruby', ref: '881caaee228cf945cd66e4d4be7763c34ab9efc2'

Sample

#!/usr/bin/env ruby

require 'adal'
require 'openssl'
require 'azure_key_vault'

# For debugging
#ADAL::Logging.log_level = ADAL::Logger::VERBOSE

AUTHORITY_HOST = ADAL::Authority::WORLD_WIDE_AUTHORITY

CLIENT_ID = '<client id>'
RESOURCE = 'https://vault.azure.net'
TENANT = '<tenant name>'
PFX_PATH = '/path/to/cert.pfx'
PFX_PASSWORD = ENV['PFX_PASSWORD']
pfx = OpenSSL::PKCS12.new(File.read(PFX_PATH), PFX_PASSWORD)
authority = ADAL::Authority.new(AUTHORITY_HOST, TENANT)
client_cred = ADAL::ClientAssertionCertificate.new(authority, CLIENT_ID, pfx)

result = ADAL::AuthenticationContext.new(AUTHORITY_HOST, TENANT).acquire_token_for_client(RESOURCE, client_cred)

creds = MsRest::TokenCredentials.new result.access_token

kv = Azure::KeyVault::V7_0::KeyVaultClient.new creds

secret = kv.get_secret('https://<kv-name>.vault.azure.net/', '<secret name>', '<secret version>')

puts secret.value

Running

> bundle install
> chmod +x sample.rb
> PFX_PASSWORD=<your_pfx_password> bundle exec sample.rb

phillipleblanc avatar Sep 05 '19 12:09 phillipleblanc

Thank you for your interest in Azure SDKs. As detailed in this retirement announcement, this repo is no longer supported as of December 31st 2021. Please find the up-to-date list of languages and services supported with Azure SDKs here: https://aka.ms/azsdk

kurtzeborn avatar Jan 11 '23 03:01 kurtzeborn