Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Feature Request: Option to Specify Authentication Method for Key Vault Access #155

Closed
erwinkersten opened this issue Feb 23, 2024 · 5 comments
Assignees
Labels
enhancement New feature or request
Milestone

Comments

@erwinkersten
Copy link

erwinkersten commented Feb 23, 2024

Issue Description
In environments where both Managed Identity and Azure CLI credentials are available (e.g., systems with Azure Arc connectivity utilizing a Managed Identity), it appears that accessing Azure Key Vault via notation-azure-kv defaults to using the Managed Identity for authentication, ignoring Azure CLI credentials. This behavior limits flexibility in scenarios where it might be necessary or desirable to use Azure CLI credentials for Key Vault access instead of the Managed Identity.

Proposed Solution
Introduce functionality to explicitly specify the desired authentication method when accessing Azure Key Vault. This enhancement would allow users to override the default behavior (Managed Identity precedence) and select between Managed Identity or Azure CLI credentials. It would be great if we can specify this via plugin arguments:

--plugin-config authentication_method=azurecli   
--plugin-config authentication_method=managedidentity

If no authentication_method argument is specified the defautl behaviour where managedidentity has precedence is preffered particularly for pipeline automation.

@erwinkersten erwinkersten changed the title Feature Request: Option to SpecifyAuthentication Method for Key Vault Access Feature Request: Option to Specify Authentication Method for Key Vault Access Feb 23, 2024
@rennerg
Copy link

rennerg commented Feb 29, 2024

I second this. We are currently blocked by this due to notation-azure-kv attempting to use the managed identity of our build machines which are part of a different tenant than the key vault we are attempting to use for signing. We use the Azure CLI and even setting the subscription context right before calling notation-azure-kv does not help.

@yizha1 yizha1 added the enhancement New feature or request label Feb 29, 2024
@yizha1
Copy link
Collaborator

yizha1 commented Feb 29, 2024

Thanks @erwinkersten and @rennerg. We will need some time to solve this issue, would you mind trying EnvironmentCredential to unblock you?

This current behavior is per the API, see
https://learn.microsoft.com/en-us/dotnet/api/azure.identity.managedidentitycredential?view=azure-dotnet, the order is as follows, so managed identity in your case is always selected.

EnvironmentCredential
WorkloadIdentityCredential
ManagedIdentityCredential
SharedTokenCacheCredential
VisualStudioCredential
VisualStudioCodeCredential
AzureCliCredential
AzurePowerShellCredential
AzureDeveloperCliCredential
InteractiveBrowserCredential

/cc @shizhMSFT @JeyJeyGao

@akashsinghal
Copy link

akashsinghal commented Mar 3, 2024

#154 will also benefit from this work as a workaround

@yizha1 yizha1 modified the milestones: 1.0.3, 1.1.0 Mar 6, 2024
@rennerg
Copy link

rennerg commented Mar 14, 2024

I was able to get around this by setting these environment variables right before calling notation sign:

  • AZURE_TENANT_ID
  • AZURE_CLIENT_ID
  • AZURE_CLIENT_SECRET

@JeyJeyGao
Copy link
Collaborator

A new credential_type selection feature was introduced in #157, resolving the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

No branches or pull requests

5 participants