You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Issue Description
In environments where both Managed Identity and Azure CLI credentials are available (e.g., systems with Azure Arc connectivity utilizing a Managed Identity), it appears that accessing Azure Key Vault via notation-azure-kv defaults to using the Managed Identity for authentication, ignoring Azure CLI credentials. This behavior limits flexibility in scenarios where it might be necessary or desirable to use Azure CLI credentials for Key Vault access instead of the Managed Identity.
Proposed Solution
Introduce functionality to explicitly specify the desired authentication method when accessing Azure Key Vault. This enhancement would allow users to override the default behavior (Managed Identity precedence) and select between Managed Identity or Azure CLI credentials. It would be great if we can specify this via plugin arguments:
If no authentication_method argument is specified the defautl behaviour where managedidentity has precedence is preffered particularly for pipeline automation.
The text was updated successfully, but these errors were encountered:
erwinkersten
changed the title
Feature Request: Option to SpecifyAuthentication Method for Key Vault Access
Feature Request: Option to Specify Authentication Method for Key Vault Access
Feb 23, 2024
I second this. We are currently blocked by this due to notation-azure-kv attempting to use the managed identity of our build machines which are part of a different tenant than the key vault we are attempting to use for signing. We use the Azure CLI and even setting the subscription context right before calling notation-azure-kv does not help.
Issue Description
In environments where both Managed Identity and Azure CLI credentials are available (e.g., systems with Azure Arc connectivity utilizing a Managed Identity), it appears that accessing Azure Key Vault via notation-azure-kv defaults to using the Managed Identity for authentication, ignoring Azure CLI credentials. This behavior limits flexibility in scenarios where it might be necessary or desirable to use Azure CLI credentials for Key Vault access instead of the Managed Identity.
Proposed Solution
Introduce functionality to explicitly specify the desired authentication method when accessing Azure Key Vault. This enhancement would allow users to override the default behavior (Managed Identity precedence) and select between Managed Identity or Azure CLI credentials. It would be great if we can specify this via plugin arguments:
If no authentication_method argument is specified the defautl behaviour where managedidentity has precedence is preffered particularly for pipeline automation.
The text was updated successfully, but these errors were encountered: