Documentation
¶
Index ¶
Constants ¶
View Source
const ( // For Azure AD Workload Identity, the audience recommended for use is // "api://AzureADTokenExchange" DefaultTokenAudience = "api://AzureADTokenExchange" //nolint )
Variables ¶
View Source
var ( // ErrServiceAccountTokensNotFound is returned when the service account token is not found ErrServiceAccountTokensNotFound = errors.New("service account tokens not found") )
Functions ¶
func ParseServiceAccountToken ¶ added in v1.1.0
ParseServiceAccountToken parses the bound service account token from the tokens passed from driver as part of MountRequest. ref: https://kubernetes-csi.github.io/docs/token-requests.html
Types ¶
type Config ¶
type Config struct {
// UsePodIdentity is set to true if access mode is using aad-pod-identity
UsePodIdentity bool
// UseVMManagedIdentity is set to true if access mode is using managed identity
UseVMManagedIdentity bool
// UserAssignedIdentityID is the user-assigned managed identity clientID
UserAssignedIdentityID string
// AADClientSecret is the client secret for SP access mode
AADClientSecret string
// AADClientID is the clientID for SP access mode
AADClientID string
// WorkloadIdentityClientID is the clientID for workload identity
// this clientID can be an Azure AD Application or a Managed identity
// NOTE: workload identity federation with managed identity is currently not supported
WorkloadIdentityClientID string
// WorkloadIdentityToken is the service account token for workload identity
// this token will be exchanged for an Azure AD Token based on the federated identity credential
// this service account token is associated with the workload requesting the volume mount
WorkloadIdentityToken string
}
Config is the required parameters for auth config
func NewConfig ¶
func NewConfig( usePodIdentity, useVMManagedIdentity bool, userAssignedIdentityID, workloadIdentityClientID, workloadIdentityToken string, secrets map[string]string) (Config, error)
NewConfig returns new auth config
func (Config) GetCredential ¶ added in v1.5.0
func (c Config) GetCredential(podName, podNamespace, resource, aadEndpoint, tenantID, nmiPort string) (azcore.TokenCredential, error)
GetCredential returns the azure credential to use based on the auth config
type PodIdentityResponse ¶ added in v1.5.0
type PodIdentityResponse struct {
Token adal.Token `json:"token"`
ClientID string `json:"clientid"`
}
PodIdentityResponse is the response received from aad-pod-identity when requesting token on behalf of the pod
type SATokens ¶ added in v1.1.0
type SATokens struct {
APIAzureADTokenExchange struct {
Token string `json:"token"`
ExpirationTimestamp time.Time `json:"expirationTimestamp"`
} `json:"api://AzureADTokenExchange"`
}
SATokens represents the service account tokens sent as part of the MountRequest
type Token ¶ added in v1.5.0
type Token struct {
AccessToken string `json:"access_token"`
RefreshToken string `json:"refresh_token"`
ExpiresIn json.Number `json:"expires_in"`
ExpiresOn json.Number `json:"expires_on"`
NotBefore json.Number `json:"not_before"`
Resource string `json:"resource"`
Type string `json:"token_type"`
}
Token encapsulates the access token used to authorize Azure requests. https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow#service-to-service-access-token-response
Source Files
Click to show internal directories.
Click to hide internal directories.