Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OIDC Authentication Support #432

Open
roux-doo opened this issue Jul 22, 2024 · 2 comments
Open

OIDC Authentication Support #432

roux-doo opened this issue Jul 22, 2024 · 2 comments
Labels
enhancement

Comments

@roux-doo
Copy link

Description

Requesting to add OIDC authentication arguments that are present on the Terraform Azure providers (oidc_token, oidc_token_file_path, use_oidc). This will allow the Packer plugin to run Azure Commercial and Azure Government builds congruently instead of separately in CI/CD systems such as GitLab that support OIDC.

Potential References

https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs#oidc_token
@JenGoldstrich
Copy link
Contributor

Hey @roux-doo, thanks for this feature request

I think some of this functionality is already in the plugin, but I haven't tested it and this linked issue below may be blocking you (although I have a PR open to fix that).

Whenever you use a client_jwt, the Azure Packer Plugin uses the same authentication method that the Terraform AzureRM Provider uses for oidc_token, both of these tools us the same SDK, here you can see where OIDC tokens are passed in

https://github.com/hashicorp/terraform-provider-azurerm/blob/bea0f8f45689d1d1c01c6a6979e7805d280177e0/internal/provider/provider.go#L468-L469 in the provider, and we pass in the same options in this Packer plugin,

packer-plugin-azure/builder/azure/common/client/azure_authorizer.go

Lines 76 to 82 in 6c21022

case AuthTypeClientBearerJWT:
authConfig = auth.Credentials{
Environment: env,
EnableAuthenticationUsingOIDC: true,
ClientID: authOpts.ClientID,
TenantID: authOpts.TenantID,
OIDCAssertionToken: authOpts.ClientJWT,

You'd just need to pass in the token as a client_jwt. The issue I linked above however shows a current issue with some OIDC tokens, but as I mentioned I have a fix PR pending for that issue (I haven't tested this so I don't know how widespread this issue is)

However the functionality of oidc_token_file_path is definitely still something we could add, and I think we could document better that client_jwt can be used for OIDC Authorization.

@SPALLADI
Copy link

Is it working for anyone? I am using a service using OIDC to create a packer build image. It has been failing for any reason

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@JenGoldstrich @SPALLADI @roux-doo