azure
azure copied to clipboard
[Feature] Enable certificate-based authentication with login with Service principal
SUMMARY
Enable authentication with x509 certificate for Service principals, instead of a password.
ISSUE TYPE
- Feature Pull Request
The code LGTM. I don't see how we would enable tests for this feature though, @abikouo have been been able to manually test this change?
Hey @jillr thanks for the feedback, the feature has been tested manually, however, to add a target into the integration we need to update the collection with the possibility to create a certificate into key vault and update azure_rm_adserviceprincipal
in order to create a service principal with certificate.
@abikouo Also, the way you currently get credentials is only for the Track1 SDK, can you add a solution that supports the Track2 SDK? Thank you very much!
@abikouo Also, the way you currently get credentials is only for the Track1 SDK, can you add a solution that supports the Track2 SDK? Thank you very much!
Support for Track2 added, however, the x509_certificate
type has been turned to path
in order to avoid the creation of a temporary file to call Track2 credentials API
@abikouo Also, the way you currently get credentials is only for the Track1 SDK, can you add a solution that supports the Track2 SDK? Thank you very much!
Support for Track2 added, however, the
x509_certificate
type has been turned topath
in order to avoid the creation of a temporary file to call Track2 credentials API
@abikouo Ok, I will retest the two methods and feedback the results to you!
@abikouo Have you tested the Track2 SDK process? In my local tests, the Track2 certificate reported an error with the error message "ValueError: Valid PEM but no BEGIN CERTIFICATE/END CERTIFICATE delimiters. Are you sure this is a certificate? \n ",
Can you try this locally? Thank you very much!
@abikouo Have you tested the Track2 SDK process? In my local tests, the Track2 certificate reported an error with the error message "ValueError: Valid PEM but no BEGIN CERTIFICATE/END CERTIFICATE delimiters. Are you sure this is a certificate? \n ",
Can you try this locally? Thank you very much!
I have tested it using the module azure_rm_containerregistrytag_info
which is using Track2 SDK
Here is the playbook
- hosts: localhost
gather_facts: no
collections:
- azure.azcollection
tasks:
- name: Module using Track2 credentials
azure_rm_containerregistrytag_info:
registry: myregistry
repository_name: reponame
name: local
subscription_id: xxxxxxxxxxxxxxxxxxxxxxxxxx
x509_certificate_path: certificate.pem'
thumbprint: xxxxxxxxxxxxxxxxxxxxxxxxx
tenant: xxxxxxxxxxxxxxxxxxxxxxxxxxx
client_id: xxxxxxxxxxxxxxxxxxxxxxxxxxxx
with certificate.pem
as below:
-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDdYyVFAqOvoswy
DkNtaIIL/4zuZIU5mgKVyxjx7l/Ws3Odl5VayElpPzD/wbcIcHnQJa199d8zPOYl
uCKR/Xp9eFZuu60xhRiMr5Mz6si1UWA+kQXKuzWUtTJ4IEVDPJaG8w7XLUt/hRis
t2GLHL0Qynmawi50Hab+xBc3X81J+3ypW9bQcV9mS9MFcrGAfEzb8GA6XJiwsrB+
(...)
DTD1mGprXBBMtJkUL/HoRZMXNh4dTp5f3XW3FbWuOONpgFZCBp8ryhyjUDYeXl/j
8o//L2XdH52c45cE5e/cpu0Tp4GMe99+dmTDUFHej2jgaGSZBiZwLjY8yoWpRZee
P7K/Wbfu7rDbwrwVHACUk3E=
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
MIIDMDCCAhigAwIBAgIQek6D1N+6QCuh1CnDnk+a/zANBgkqhkiG9w0BAQsFADAV
MRMwEQYDVQQDEwpyZWRoYXQuY29tMB4XDTIyMDYyNzE0MTcxOFoXDTIzMDYyNzE0
MjcxOFowFTETMBEGA1UEAxMKcmVkaGF0LmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
(...)
UdKqBVbhmkVMk4vazWZCjMAZsL9UAnT8zIubMZjnURtPoWoqF8oI3t55+q6QtKsp
HT//Hx8pIApESuSQ9hjUyWgE4ROaG/KpRU1XTo0iEk0WecMLVtRFuFK7h3R/r6Tm
FB/I0Q==
-----END CERTIFICATE-----
@abikouo Could you please share with us how you got your certificate? If you created it yourself, share how you created it? Thank you very much!
@abikouo Could you please share with us how you got your certificate? If you created it yourself, share how you created it? Thank you very much!
@Fred-sun the certificate has been created on Azure key vault as described here: https://docs.microsoft.com/en-us/azure/key-vault/certificates/create-certificate-signing-request?tabs=azure-portal
@Fred-sun any updates on this request? I've reached out to Mark about this one to see what else you may need from the Ansible team to help align this request.
@scottharwell We have conducted repeated tests internally, and the official creation can only be applied to SDK1. SDK2 has some problems and is still under discussion. I will reply to you as soon as possible after the holiday! Thank you very much!
LGTM 🚢