azure icon indicating copy to clipboard operation
azure copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

[Feature] Enable certificate-based authentication with login with Service principal

Open abikouo opened this issue 2 years ago • 10 comments

SUMMARY

Enable authentication with x509 certificate for Service principals, instead of a password.

ISSUE TYPE
  • Feature Pull Request

abikouo avatar Jun 28 '22 12:06 abikouo

The code LGTM. I don't see how we would enable tests for this feature though, @abikouo have been been able to manually test this change?

Hey @jillr thanks for the feedback, the feature has been tested manually, however, to add a target into the integration we need to update the collection with the possibility to create a certificate into key vault and update azure_rm_adserviceprincipal in order to create a service principal with certificate.

abikouo avatar Jun 30 '22 09:06 abikouo

@abikouo Also, the way you currently get credentials is only for the Track1 SDK, can you add a solution that supports the Track2 SDK? Thank you very much!

Fred-sun avatar Jul 26 '22 02:07 Fred-sun

@abikouo Also, the way you currently get credentials is only for the Track1 SDK, can you add a solution that supports the Track2 SDK? Thank you very much!

Support for Track2 added, however, the x509_certificate type has been turned to path in order to avoid the creation of a temporary file to call Track2 credentials API

abikouo avatar Jul 26 '22 15:07 abikouo

@abikouo Also, the way you currently get credentials is only for the Track1 SDK, can you add a solution that supports the Track2 SDK? Thank you very much!

Support for Track2 added, however, the x509_certificate type has been turned to path in order to avoid the creation of a temporary file to call Track2 credentials API

@abikouo Ok, I will retest the two methods and feedback the results to you!

Fred-sun avatar Jul 26 '22 15:07 Fred-sun

@abikouo Have you tested the Track2 SDK process? In my local tests, the Track2 certificate reported an error with the error message "ValueError: Valid PEM but no BEGIN CERTIFICATE/END CERTIFICATE delimiters. Are you sure this is a certificate? \n ",

Can you try this locally? Thank you very much!

Fred-sun avatar Jul 27 '22 01:07 Fred-sun

@abikouo Have you tested the Track2 SDK process? In my local tests, the Track2 certificate reported an error with the error message "ValueError: Valid PEM but no BEGIN CERTIFICATE/END CERTIFICATE delimiters. Are you sure this is a certificate? \n ",

Can you try this locally? Thank you very much!

I have tested it using the module azure_rm_containerregistrytag_info which is using Track2 SDK Here is the playbook

- hosts: localhost
  gather_facts: no

  collections:
  - azure.azcollection

  tasks:
    - name: Module using Track2 credentials
      azure_rm_containerregistrytag_info:
        registry: myregistry
        repository_name: reponame
        name: local
        subscription_id: xxxxxxxxxxxxxxxxxxxxxxxxxx
        x509_certificate_path: certificate.pem'
        thumbprint: xxxxxxxxxxxxxxxxxxxxxxxxx
        tenant: xxxxxxxxxxxxxxxxxxxxxxxxxxx
        client_id: xxxxxxxxxxxxxxxxxxxxxxxxxxxx

with certificate.pem as below:

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDdYyVFAqOvoswy
DkNtaIIL/4zuZIU5mgKVyxjx7l/Ws3Odl5VayElpPzD/wbcIcHnQJa199d8zPOYl
uCKR/Xp9eFZuu60xhRiMr5Mz6si1UWA+kQXKuzWUtTJ4IEVDPJaG8w7XLUt/hRis
t2GLHL0Qynmawi50Hab+xBc3X81J+3ypW9bQcV9mS9MFcrGAfEzb8GA6XJiwsrB+
(...)
DTD1mGprXBBMtJkUL/HoRZMXNh4dTp5f3XW3FbWuOONpgFZCBp8ryhyjUDYeXl/j
8o//L2XdH52c45cE5e/cpu0Tp4GMe99+dmTDUFHej2jgaGSZBiZwLjY8yoWpRZee
P7K/Wbfu7rDbwrwVHACUk3E=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDMDCCAhigAwIBAgIQek6D1N+6QCuh1CnDnk+a/zANBgkqhkiG9w0BAQsFADAV
MRMwEQYDVQQDEwpyZWRoYXQuY29tMB4XDTIyMDYyNzE0MTcxOFoXDTIzMDYyNzE0
MjcxOFowFTETMBEGA1UEAxMKcmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
(...)
UdKqBVbhmkVMk4vazWZCjMAZsL9UAnT8zIubMZjnURtPoWoqF8oI3t55+q6QtKsp
HT//Hx8pIApESuSQ9hjUyWgE4ROaG/KpRU1XTo0iEk0WecMLVtRFuFK7h3R/r6Tm
FB/I0Q==
-----END CERTIFICATE-----

abikouo avatar Jul 27 '22 10:07 abikouo

@abikouo Could you please share with us how you got your certificate? If you created it yourself, share how you created it? Thank you very much!

Fred-sun avatar Jul 28 '22 01:07 Fred-sun

@abikouo Could you please share with us how you got your certificate? If you created it yourself, share how you created it? Thank you very much!

@Fred-sun the certificate has been created on Azure key vault as described here: https://docs.microsoft.com/en-us/azure/key-vault/certificates/create-certificate-signing-request?tabs=azure-portal

abikouo avatar Jul 28 '22 10:07 abikouo

@Fred-sun any updates on this request? I've reached out to Mark about this one to see what else you may need from the Ansible team to help align this request.

scottharwell avatar Sep 29 '22 15:09 scottharwell

@scottharwell We have conducted repeated tests internally, and the official creation can only be applied to SDK1. SDK2 has some problems and is still under discussion. I will reply to you as soon as possible after the holiday! Thank you very much!

Fred-sun avatar Sep 30 '22 01:09 Fred-sun

LGTM 🚢

xuzhang3 avatar Oct 27 '22 08:10 xuzhang3