Support managed identity for Azure App Service/Azure Container Apps #7085
Labels
Comments
|
Thanks for reporting this @apc-kamezaki. If you'd like to contribute a fix that would be great. Thanks! |
|
I've also posted PR #7086 |
apc-kamezaki
added a commit
to apc-kamezaki/opa
that referenced
this issue
Oct 4, 2024
…iner Apps IDENTITY_ENDPOINT and IDENTITY_HEADER envirnnment variables are provided on Azure App Service for getting the token. We can detect these variables and switch the endpoint and header value from IMDS. Fixes: open-policy-agent#7085 Signed-off-by: Hitoshi Kamezaki <[email protected]>
apc-kamezaki
added a commit
to apc-kamezaki/opa
that referenced
this issue
Oct 7, 2024
…iner Apps IDENTITY_ENDPOINT and IDENTITY_HEADER envirnnment variables are provided on Azure App Service for getting the token. We can detect these variables and switch the endpoint and header value from IMDS. Fixes: open-policy-agent#7085 Signed-off-by: Hitoshi Kamezaki <[email protected]>
apc-kamezaki
added a commit
to apc-kamezaki/opa
that referenced
this issue
Oct 8, 2024
…iner Apps IDENTITY_ENDPOINT and IDENTITY_HEADER envirnnment variables are provided on Azure App Service for getting the token. We can detect these variables and switch the endpoint and header value from IMDS. Fixes: open-policy-agent#7085 Signed-off-by: Hitoshi Kamezaki <[email protected]>
apc-kamezaki
added a commit
to apc-kamezaki/opa
that referenced
this issue
Oct 8, 2024
…iner Apps IDENTITY_ENDPOINT and IDENTITY_HEADER envirnnment variables are provided on Azure App Service for getting the token. We can detect these variables and switch the endpoint and header value from IMDS. Fixes: open-policy-agent#7085 Signed-off-by: Hitoshi Kamezaki <[email protected]>
apc-kamezaki
added a commit
to apc-kamezaki/opa
that referenced
this issue
Oct 8, 2024
…iner Apps IDENTITY_ENDPOINT and IDENTITY_HEADER envirnnment variables are provided on Azure App Service for getting the token. We can detect these variables and switch the endpoint and header value from IMDS. Fixes: open-policy-agent#7085 Signed-off-by: Hitoshi Kamezaki <[email protected]>
ashutosh-narkar
pushed a commit
to apc-kamezaki/opa
that referenced
this issue
Oct 9, 2024
…iner Apps IDENTITY_ENDPOINT and IDENTITY_HEADER envirnnment variables are provided on Azure App Service for getting the token. We can detect these variables and switch the endpoint and header value from IMDS. Fixes: open-policy-agent#7085 Signed-off-by: Hitoshi Kamezaki <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As you can see on the discussion https://github.com/orgs/open-policy-agent/discussions/592 , opa server cannot connect azure blob storage on Azure App Service using managed identity.
I'd like to add the feature for using managed identity for connectiong between Azure Container Apps and Azure blob storage.
What is the underlying problem you're trying to solve?
It seems that IMDS endpoint is not available on Azure App Service/Container Apps. It should use special endpoint for getting token instead.
See :
https://learn.microsoft.com/en-us/azure/app-service/overview-managed-identity?tabs=portal%2Chttp#connect-to-azure-services-in-app-code
https://learn.microsoft.com/en-us/azure/container-apps/managed-identity?tabs=bicep%2Chttp#connect-to-azure-services-in-app-code
Describe the ideal solution
IDENTITY_ENDPOINT and IDENTITY_HEADER envirnnment variables are defined on Azure App Service for getting the token.
We can detect these variables and switch the endpoint and header value from IMDS.
Describe a "Good Enough" solution
I
Additional Context
The text was updated successfully, but these errors were encountered: