README
¶
Intro
entrauth provides a customizable chained token credential for authenticating to Microsoft Entra ID. Based on this, it contains a sub package aztfauth that provides an opinionated chained token credential, which is meant to be used for Azure Terraform providers.
Credentials
The high level structure of the basic supported credentials are listed below:
Auth
|
+--> OAuth2 Client Credential
| |
| +------ client secret ----------------------> "client-secret"
| |
| +------ client assertion
| |
| +----- plain assertion -------> "assertion-plain"
| |
| +----- assertion file --------> "assertion-file"
| |
| +----- client certificate ----> "client-certificate"
| | (build assertion)
| |
| +------ request --------------> "assertion-request"
| (Github, AzureDevOps)
+--> Token Provider
|
+------ Azure Managed Identity -------------> "managed-identity"
|
+------ Azure CLI delegation ---------------> "azure-cli"
|
+------ Azure Developer CLI delegation -----> "azure-dev-cli"
Based on above, the aztfauth provides the following chained token credential:
"assertion-plain"
|
v
"assertion-file"
|
v
"assertion-request"
|
v
ADOServiceConnectionId == "" ?
/ \
y / \ n
/ \
Github AzureDevOps
\ /
\ /
\ /
v
"client-secret"
|
v
"client-certificate"
|
v
"managed-identity"
|
v
"Azure CLI"
|
v
"Azure Dev CLI"
Note that each token credential can be enabled/disabled.
Documentation
¶
Index ¶
- func NewCredential(credsOpts []CredentialOption, option *NewCredentialOption) (token *azidentity.ChainedTokenCredential, err error)
- func NewGithubCredential(tenantId, clientId, requestUrl, requestToken string, ...) (azcore.TokenCredential, error)
- type AssertionFileCredentialOption
- type AssertionPlainCredentialOption
- type AssertionRequestAzureDevOpsCredentialOption
- type AssertionRequestCredentialOption
- type AssertionRequestCredentialPlatformOption
- type AssertionRequestGithubCredentialOption
- type AssertionRequestType
- type AzureCLICredentialOption
- type AzureDevCLICredentialOption
- type ClientCertificateCredentialOption
- type ClientSecretCredentialOption
- type CredentialOption
- type GithubCredentialOption
- type ManagedIdentityCredentialOption
- type NewCredentialOption
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func NewCredential ¶
func NewCredential(credsOpts []CredentialOption, option *NewCredentialOption) (token *azidentity.ChainedTokenCredential, err error)
NewCredential news a chained token credential. The exact credentials and their orders being chained are determined by the `credOpts`.
func NewGithubCredential ¶
func NewGithubCredential(tenantId, clientId, requestUrl, requestToken string, options *GithubCredentialOption) (azcore.TokenCredential, error)
Types ¶
type AssertionFileCredentialOption ¶
type AssertionFileCredentialOption struct {
TenantId string
ClientId string
AssertionFile string
// Optional
azcore.ClientOptions
AdditionallyAllowedTenants []string
DisableInstanceDiscovery bool
Cache azidentity.Cache
}
type AssertionPlainCredentialOption ¶
type AssertionPlainCredentialOption struct {
TenantId string
ClientId string
Assertion string
// Optional
azcore.ClientOptions
AdditionallyAllowedTenants []string
DisableInstanceDiscovery bool
Cache azidentity.Cache
}
type AssertionRequestAzureDevOpsCredentialOption ¶
type AssertionRequestAzureDevOpsCredentialOption struct {
TenantId string
ClientId string
ServiceConnectionId string
SystemAccessToken string
// Optional
azcore.ClientOptions
AdditionallyAllowedTenants []string
DisableInstanceDiscovery bool
Cache azidentity.Cache
}
type AssertionRequestCredentialOption ¶
type AssertionRequestCredentialOption struct {
Type AssertionRequestType
PlatformOption AssertionRequestCredentialPlatformOption
}
type AssertionRequestCredentialPlatformOption ¶
type AssertionRequestCredentialPlatformOption interface {
// contains filtered or unexported methods
}
type AssertionRequestGithubCredentialOption ¶
type AssertionRequestGithubCredentialOption struct {
TenantId string
ClientId string
RequestToken string
RequestUrl string
// Optional
azcore.ClientOptions
AdditionallyAllowedTenants []string
DisableInstanceDiscovery bool
Cache azidentity.Cache
}
type AssertionRequestType ¶
type AssertionRequestType string
const ( AssertionRequestTypeGithub AssertionRequestType = "Github" AssertionRequestTypeAzureDevOps AssertionRequestType = "AzureDevOps" )
type ClientCertificateCredentialOption ¶
type ClientCertificateCredentialOption struct {
TenantId string
ClientId string
CertData []*x509.Certificate
CertKey crypto.PrivateKey
// Optional
azcore.ClientOptions
AdditionallyAllowedTenants []string
DisableInstanceDiscovery bool
Cache azidentity.Cache
SendCertificateChain bool
}
type ClientSecretCredentialOption ¶
type ClientSecretCredentialOption struct {
TenantId string
ClientId string
ClientSecret string
// Optional
azcore.ClientOptions
AdditionallyAllowedTenants []string
DisableInstanceDiscovery bool
Cache azidentity.Cache
}
type CredentialOption ¶
type CredentialOption interface {
// contains filtered or unexported methods
}
type GithubCredentialOption ¶
type GithubCredentialOption struct {
azcore.ClientOptions
AdditionallyAllowedTenants []string
DisableInstanceDiscovery bool
Cache azidentity.Cache
}
type ManagedIdentityCredentialOption ¶
type ManagedIdentityCredentialOption struct {
// Optional
azcore.ClientOptions
ID azidentity.ManagedIDKind
}
type NewCredentialOption ¶
type NewCredentialOption struct {
Logger *log.Logger
ChainedTokenOption azidentity.ChainedTokenCredentialOptions
}
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.