auth

package module
v0.5.12 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 17, 2023 License: Apache-2.0 Imports: 17 Imported by: 967

README

NOTE: This module will go out of support by March 31, 2023. For authenticating with Azure AD, use module azidentity instead. For help migrating from auth to azidentiy please consult the migration guide. General information about the retirement of this and other legacy modules can be found here.

Authentication

Typical SDK operations must be authenticated and authorized. The autorest.Authorizer interface allows use of any auth style in requests, such as inserting an OAuth2 Authorization header and bearer token received from Azure AD.

The SDK itself provides a simple way to get an authorizer which first checks for OAuth client credentials in environment variables and then falls back to Azure's Managed Service Identity when available, e.g. when on an Azure VM. The following snippet from the previous section demonstrates this helper.

import "github.com/Azure/go-autorest/autorest/azure/auth"

// create a VirtualNetworks client
vnetClient := network.NewVirtualNetworksClient("<subscriptionID>")

// create an authorizer from env vars or Azure Managed Service Idenity
authorizer, err := auth.NewAuthorizerFromEnvironment()
if err != nil {
    handle(err)
}

vnetClient.Authorizer = authorizer

// call the VirtualNetworks CreateOrUpdate API
vnetClient.CreateOrUpdate(context.Background(),
// ...

The following environment variables help determine authentication configuration:

  • AZURE_ENVIRONMENT: Specifies the Azure Environment to use. If not set, it defaults to AzurePublicCloud. Not applicable to authentication with Managed Service Identity (MSI).
  • AZURE_AD_RESOURCE: Specifies the AAD resource ID to use. If not set, it defaults to ResourceManagerEndpoint for operations with Azure Resource Manager. You can also choose an alternate resource programmatically with auth.NewAuthorizerFromEnvironmentWithResource(resource string).
More Authentication Details

The previous is the first and most recommended of several authentication options offered by the SDK because it allows seamless use of both service principals and Azure Managed Service Identity. Other options are listed below.

Note: If you need to create a new service principal, run az ad sp create-for-rbac -n "<app_name>" in the azure-cli. See these docs for more info. Copy the new principal's ID, secret, and tenant ID for use in your app, or consider the --sdk-auth parameter for serialized output.

  • The auth.NewAuthorizerFromEnvironment() described above creates an authorizer from the first available of the following configuration:

    1. **Client Credentials**: Azure AD Application ID and Secret.

    - `AZURE_TENANT_ID`: Specifies the Tenant to which to authenticate.
    - `AZURE_CLIENT_ID`: Specifies the app client ID to use.
    - `AZURE_CLIENT_SECRET`: Specifies the app secret to use.

2. **Client Certificate**: Azure AD Application ID and X.509 Certificate.

    - `AZURE_TENANT_ID`: Specifies the Tenant to which to authenticate.
    - `AZURE_CLIENT_ID`: Specifies the app client ID to use.
    - `AZURE_CERTIFICATE_PATH`: Specifies the certificate Path to use.
    - `AZURE_CERTIFICATE_PASSWORD`: Specifies the certificate password to use.

3. **Resource Owner Password**: Azure AD User and Password. This grant type is *not
   recommended*, use device login instead if you need interactive login.

    - `AZURE_TENANT_ID`: Specifies the Tenant to which to authenticate.
    - `AZURE_CLIENT_ID`: Specifies the app client ID to use.
    - `AZURE_USERNAME`: Specifies the username to use.
    - `AZURE_PASSWORD`: Specifies the password to use.

4. **Azure Managed Service Identity**: Delegate credential management to the
   platform. Requires that code is running in Azure, e.g. on a VM. All
   configuration is handled by Azure. See [Azure Managed Service
   Identity](https://docs.microsoft.com/azure/active-directory/msi-overview)
   for more details.

  • The auth.NewAuthorizerFromFile() method creates an authorizer using credentials from an auth file created by the Azure CLI. Follow these steps to utilize:

    1. Create a service principal and output an auth file using az ad sp create-for-rbac --sdk-auth > client_credentials.json.
    2. Set environment variable AZURE_AUTH_LOCATION to the path of the saved output file.
    3. Use the authorizer returned by auth.NewAuthorizerFromFile() in your client as described above.

  • The auth.NewAuthorizerFromCLI() method creates an authorizer which uses Azure CLI to obtain its credentials.

    The default audience being requested is https://management.azure.com (Azure ARM API). To specify your own audience, export AZURE_AD_RESOURCE as an evironment variable. This is read by auth.NewAuthorizerFromCLI() and passed to Azure CLI to acquire the access token.

    For example, to request an access token for Azure Key Vault, export

    AZURE_AD_RESOURCE="https://vault.azure.net"

  • auth.NewAuthorizerFromCLIWithResource(AUDIENCE_URL_OR_APPLICATION_ID) - this method is self contained and does not require exporting environment variables. For example, to request an access token for Azure Key Vault:

    auth.NewAuthorizerFromCLIWithResource("https://vault.azure.net")

    To use NewAuthorizerFromCLI() or NewAuthorizerFromCLIWithResource(), follow these steps:

    1. Install Azure CLI v2.0.12 or later. Upgrade earlier versions.
    2. Use az login to sign in to Azure.

    If you receive an error, use az account get-access-token to verify access.

    If Azure CLI is not installed to the default directory, you may receive an error reporting that az cannot be found.
    Use the AzureCLIPath environment variable to define the Azure CLI installation folder.

    If you are signed in to Azure CLI using multiple accounts or your account has access to multiple subscriptions, you need to specify the specific subscription to be used. To do so, use:

    az account set --subscription <subscription-id>

    To verify the current account settings, use:

    az account list

  • Finally, you can use OAuth's Device Flow by calling auth.NewDeviceFlowConfig() and extracting the Authorizer as follows:

    config := auth.NewDeviceFlowConfig(clientID, tenantID)
a, err := config.Authorizer()

Documentation

Index

Constants

View Source 
const (
	SubscriptionID          = "AZURE_SUBSCRIPTION_ID"
	TenantID                = "AZURE_TENANT_ID"
	AuxiliaryTenantIDs      = "AZURE_AUXILIARY_TENANT_IDS"
	ClientID                = "AZURE_CLIENT_ID"
	ClientSecret            = "AZURE_CLIENT_SECRET"
	CertificatePath         = "AZURE_CERTIFICATE_PATH"
	CertificatePassword     = "AZURE_CERTIFICATE_PASSWORD"
	Username                = "AZURE_USERNAME"
	Password                = "AZURE_PASSWORD"
	EnvironmentName         = "AZURE_ENVIRONMENT"
	Resource                = "AZURE_AD_RESOURCE"
	ActiveDirectoryEndpoint = "ActiveDirectoryEndpoint"
	ResourceManagerEndpoint = "ResourceManagerEndpoint"
	GraphResourceID         = "GraphResourceID"
	SQLManagementEndpoint   = "SQLManagementEndpoint"
	GalleryEndpoint         = "GalleryEndpoint"
	ManagementEndpoint      = "ManagementEndpoint"
)

The possible keys in the Values map.

Variables

This section is empty.

Functions

func NewAuthorizerFromCLI 

func NewAuthorizerFromCLI() (autorest.Authorizer, error)

NewAuthorizerFromCLI creates an Authorizer configured from Azure CLI 2.0 for local development scenarios.

func NewAuthorizerFromCLIWithResource 

func NewAuthorizerFromCLIWithResource(resource string) (autorest.Authorizer, error)

NewAuthorizerFromCLIWithResource creates an Authorizer configured from Azure CLI 2.0 for local development scenarios.

func NewAuthorizerFromEnvironment 

func NewAuthorizerFromEnvironment() (autorest.Authorizer, error)

NewAuthorizerFromEnvironment creates an Authorizer configured from environment variables in the order: 1. Client credentials 2. Client certificate 3. Username password 4. MSI

func NewAuthorizerFromEnvironmentWithResource 

func NewAuthorizerFromEnvironmentWithResource(resource string) (autorest.Authorizer, error)

NewAuthorizerFromEnvironmentWithResource creates an Authorizer configured from environment variables in the order: 1. Client credentials 2. Client certificate 3. Username password 4. MSI

func NewAuthorizerFromFile 

func NewAuthorizerFromFile(resourceBaseURI string) (autorest.Authorizer, error)

NewAuthorizerFromFile creates an Authorizer configured from a configuration file in the following order. 1. Client credentials 2. Client certificate The path to the configuration file must be specified in the AZURE_AUTH_LOCATION environment variable. resourceBaseURI - used to determine the resource type

func NewAuthorizerFromFileWithResource 

func NewAuthorizerFromFileWithResource(resource string) (autorest.Authorizer, error)

NewAuthorizerFromFileWithResource creates an Authorizer configured from a configuration file in the following order. 1. Client credentials 2. Client certificate The path to the configuration file must be specified in the AZURE_AUTH_LOCATION environment variable.

Types

type AuthorizerConfig 

type AuthorizerConfig interface {
	Authorizer() (autorest.Authorizer, error)
}

AuthorizerConfig provides an authorizer from the configuration provided.

type ClientCertificateConfig 

type ClientCertificateConfig struct {
	ClientID            string
	CertificatePath     string
	CertificatePassword string
	TenantID            string
	AuxTenants          []string
	AADEndpoint         string
	Resource            string
}

ClientCertificateConfig provides the options to get a bearer authorizer from a client certificate.

func NewClientCertificateConfig 

func NewClientCertificateConfig(certificatePath string, certificatePassword string, clientID string, tenantID string) ClientCertificateConfig

NewClientCertificateConfig creates a ClientCertificateConfig object configured to obtain an Authorizer through client certificate. Defaults to Public Cloud and Resource Manager Endpoint.

func (ClientCertificateConfig) Authorizer 

func (ccc ClientCertificateConfig) Authorizer() (autorest.Authorizer, error)

Authorizer gets an authorizer object from client certificate.

func (ClientCertificateConfig) MultiTenantServicePrincipalToken added in v0.5.5 

func (ccc ClientCertificateConfig) MultiTenantServicePrincipalToken() (*adal.MultiTenantServicePrincipalToken, error)

MultiTenantServicePrincipalToken creates a MultiTenantServicePrincipalToken from client certificate.

func (ClientCertificateConfig) ServicePrincipalToken 

func (ccc ClientCertificateConfig) ServicePrincipalToken() (*adal.ServicePrincipalToken, error)

ServicePrincipalToken creates a ServicePrincipalToken from client certificate.

type ClientCredentialsConfig 

type ClientCredentialsConfig struct {
	ClientID     string
	ClientSecret string
	TenantID     string
	AuxTenants   []string
	AADEndpoint  string
	Resource     string
}

ClientCredentialsConfig provides the options to get a bearer authorizer from client credentials.

func NewClientCredentialsConfig 

func NewClientCredentialsConfig(clientID string, clientSecret string, tenantID string) ClientCredentialsConfig

NewClientCredentialsConfig creates an AuthorizerConfig object configured to obtain an Authorizer through Client Credentials. Defaults to Public Cloud and Resource Manager Endpoint.

func (ClientCredentialsConfig) Authorizer 

func (ccc ClientCredentialsConfig) Authorizer() (autorest.Authorizer, error)

Authorizer gets the authorizer from client credentials.

func (ClientCredentialsConfig) MultiTenantServicePrincipalToken added in v0.2.0 

func (ccc ClientCredentialsConfig) MultiTenantServicePrincipalToken() (*adal.MultiTenantServicePrincipalToken, error)

MultiTenantServicePrincipalToken creates a MultiTenantServicePrincipalToken from client credentials.

func (ClientCredentialsConfig) ServicePrincipalToken 

func (ccc ClientCredentialsConfig) ServicePrincipalToken() (*adal.ServicePrincipalToken, error)

ServicePrincipalToken creates a ServicePrincipalToken from client credentials.

type DeviceFlowConfig 

type DeviceFlowConfig struct {
	ClientID    string
	TenantID    string
	AADEndpoint string
	Resource    string
}

DeviceFlowConfig provides the options to get a bearer authorizer using device flow authentication.

func NewDeviceFlowConfig 

func NewDeviceFlowConfig(clientID string, tenantID string) DeviceFlowConfig

NewDeviceFlowConfig creates a DeviceFlowConfig object configured to obtain an Authorizer through device flow. Defaults to Public Cloud and Resource Manager Endpoint.

func (DeviceFlowConfig) Authorizer 

func (dfc DeviceFlowConfig) Authorizer() (autorest.Authorizer, error)

Authorizer gets the authorizer from device flow.

func (DeviceFlowConfig) ServicePrincipalToken 

func (dfc DeviceFlowConfig) ServicePrincipalToken() (*adal.ServicePrincipalToken, error)

ServicePrincipalToken gets the service principal token from device flow.

type EnvironmentSettings 

type EnvironmentSettings struct {
	Values      map[string]string
	Environment azure.Environment
}

EnvironmentSettings contains the available authentication settings.

func GetSettingsFromEnvironment 

func GetSettingsFromEnvironment() (s EnvironmentSettings, err error)

GetSettingsFromEnvironment returns the available authentication settings from the environment.

func (EnvironmentSettings) GetAuthorizer 

func (settings EnvironmentSettings) GetAuthorizer() (autorest.Authorizer, error)

GetAuthorizer creates an Authorizer configured from environment variables in the order: 1. Client credentials 2. Client certificate 3. Username password 4. MSI

func (EnvironmentSettings) GetClientCertificate 

func (settings EnvironmentSettings) GetClientCertificate() (ClientCertificateConfig, error)

GetClientCertificate creates a config object from the available certificate credentials. An error is returned if no certificate credentials are available.

func (EnvironmentSettings) GetClientCredentials 

func (settings EnvironmentSettings) GetClientCredentials() (ClientCredentialsConfig, error)

GetClientCredentials creates a config object from the available client credentials. An error is returned if no client credentials are available.

func (EnvironmentSettings) GetDeviceFlow 

func (settings EnvironmentSettings) GetDeviceFlow() DeviceFlowConfig

GetDeviceFlow creates a device-flow config object from the available client and tenant IDs.

func (EnvironmentSettings) GetMSI 

func (settings EnvironmentSettings) GetMSI() MSIConfig

GetMSI creates a MSI config object from the available client ID.

func (EnvironmentSettings) GetSubscriptionID 

func (settings EnvironmentSettings) GetSubscriptionID() string

GetSubscriptionID returns the available subscription ID or an empty string.

func (EnvironmentSettings) GetUsernamePassword 

func (settings EnvironmentSettings) GetUsernamePassword() (UsernamePasswordConfig, error)

GetUsernamePassword creates a config object from the available username/password credentials. An error is returned if no username/password credentials are available.

type FileSettings 

type FileSettings struct {
	Values map[string]string
}

FileSettings contains the available authentication settings.

func GetSettingsFromFile 

func GetSettingsFromFile() (FileSettings, error)

GetSettingsFromFile returns the available authentication settings from an Azure CLI authentication file.

func (FileSettings) ClientCertificateAuthorizer 

func (settings FileSettings) ClientCertificateAuthorizer(baseURI string) (autorest.Authorizer, error)

ClientCertificateAuthorizer creates an authorizer from the available certificate credentials.

func (FileSettings) ClientCertificateAuthorizerWithResource 

func (settings FileSettings) ClientCertificateAuthorizerWithResource(resource string) (autorest.Authorizer, error)

ClientCertificateAuthorizerWithResource creates an authorizer from the available certificate credentials and the specified resource.

func (FileSettings) ClientCredentialsAuthorizer 

func (settings FileSettings) ClientCredentialsAuthorizer(baseURI string) (autorest.Authorizer, error)

ClientCredentialsAuthorizer creates an authorizer from the available client credentials.

func (FileSettings) ClientCredentialsAuthorizerWithResource 

func (settings FileSettings) ClientCredentialsAuthorizerWithResource(resource string) (autorest.Authorizer, error)

ClientCredentialsAuthorizerWithResource creates an authorizer from the available client credentials and the specified resource.

func (FileSettings) GetAuthorizer added in v0.5.12 

func (settings FileSettings) GetAuthorizer(resourceBaseURI string) (autorest.Authorizer, error)

GetAuthorizer create an Authorizer in the following order. 1. Client credentials 2. Client certificate resourceBaseURI - used to determine the resource type

func (FileSettings) GetSubscriptionID 

func (settings FileSettings) GetSubscriptionID() string

GetSubscriptionID returns the available subscription ID or an empty string.

func (FileSettings) ServicePrincipalTokenFromClientCertificate 

func (settings FileSettings) ServicePrincipalTokenFromClientCertificate(baseURI string) (*adal.ServicePrincipalToken, error)

ServicePrincipalTokenFromClientCertificate creates a ServicePrincipalToken from the available certificate credentials.

func (FileSettings) ServicePrincipalTokenFromClientCertificateWithResource 

func (settings FileSettings) ServicePrincipalTokenFromClientCertificateWithResource(resource string) (*adal.ServicePrincipalToken, error)

ServicePrincipalTokenFromClientCertificateWithResource creates a ServicePrincipalToken from the available certificate credentials.

func (FileSettings) ServicePrincipalTokenFromClientCredentials 

func (settings FileSettings) ServicePrincipalTokenFromClientCredentials(baseURI string) (*adal.ServicePrincipalToken, error)

ServicePrincipalTokenFromClientCredentials creates a ServicePrincipalToken from the available client credentials.

func (FileSettings) ServicePrincipalTokenFromClientCredentialsWithResource 

func (settings FileSettings) ServicePrincipalTokenFromClientCredentialsWithResource(resource string) (*adal.ServicePrincipalToken, error)

ServicePrincipalTokenFromClientCredentialsWithResource creates a ServicePrincipalToken from the available client credentials and the specified resource.

type MSIConfig 

type MSIConfig struct {
	Resource string
	ClientID string
}

MSIConfig provides the options to get a bearer authorizer through MSI.

func NewMSIConfig 

func NewMSIConfig() MSIConfig

NewMSIConfig creates an MSIConfig object configured to obtain an Authorizer through MSI.

func (MSIConfig) Authorizer 

func (mc MSIConfig) Authorizer() (autorest.Authorizer, error)

Authorizer gets the authorizer from MSI.

func (MSIConfig) ServicePrincipalToken added in v0.5.0 

func (mc MSIConfig) ServicePrincipalToken() (*adal.ServicePrincipalToken, error)

ServicePrincipalToken creates a ServicePrincipalToken from MSI.

type UsernamePasswordConfig 

type UsernamePasswordConfig struct {
	ClientID    string
	Username    string
	Password    string
	TenantID    string
	AADEndpoint string
	Resource    string
}

UsernamePasswordConfig provides the options to get a bearer authorizer from a username and a password.

func NewUsernamePasswordConfig 

func NewUsernamePasswordConfig(username string, password string, clientID string, tenantID string) UsernamePasswordConfig

NewUsernamePasswordConfig creates an UsernamePasswordConfig object configured to obtain an Authorizer through username and password. Defaults to Public Cloud and Resource Manager Endpoint.

func (UsernamePasswordConfig) Authorizer 

func (ups UsernamePasswordConfig) Authorizer() (autorest.Authorizer, error)

Authorizer gets the authorizer from a username and a password.

func (UsernamePasswordConfig) ServicePrincipalToken 

func (ups UsernamePasswordConfig) ServicePrincipalToken() (*adal.ServicePrincipalToken, error)

ServicePrincipalToken creates a ServicePrincipalToken from username and password.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.