Add as_managed_identity arg (#8)

Add `as_managed_identity` argument to `key_vault`, to allow authenticating with a managed identity from inside an Azure VM or container.
2021-09-11 02:14:49 +10:00 · 2021-09-11 02:14:49 +10:00 · c97b9bee97
--- a/4
+++ b/4
@ -27,5 +27,5 @@ Suggests:
    knitr,
    rmarkdown,
    testthat
-Roxygen: list(markdown=TRUE)
-RoxygenNote: 6.1.1
+Roxygen: list(markdown=TRUE, r6=FALSE)
+RoxygenNote: 7.1.1
--- a/NEWS.md
+++ b/NEWS.md
@ -1,3 +1,7 @@
+# AzureKeyVault 1.0.4.9000
+
+- Add `as_managed_identity` argument to `key_vault`, to allow authenticating with a managed identity from inside an Azure VM or container.
+
 # AzureKeyVault 1.0.4

 - Change maintainer email address.
--- a/R/vault_endpoint.R
+++ b/R/vault_endpoint.R
@ -78,9 +78,11 @@ AzureKeyVault <- R6::R6Class("AzureKeyVault", public=list(
 #' Azure Key Vault client
 #'
 #' @param url The location of the vault. This can be a full URL, or the vault name alone; in the latter case, the `domain` argument is appended to obtain the URL.
-#' @param tenant,app,... Authentication arguments that will be passed to [AzureAuth::get_azure_token]. The default is to authenticate interactively.
+#' @param tenant,app, Authentication arguments that will be passed to [`AzureAuth::get_azure_token`]. The default is to authenticate interactively.
 #' @param domain The domain of the vault; for the public Azure cloud, this is `vault.azure.net`. Also the resource for OAuth authentication.
-#' @param token An OAuth token obtained via [AzureAuth::get_azure_token]. If provided, this overrides the other authentication arguments.
+#' @param as_managed_identity Whether to authenticate as a managed identity. Use this if your R session is taking place inside an Azure VM or container that has a system- or user-assigned managed identity assigned to it.
+#' @param ... Further arguments that will be passed to either `get_azure_token` or [`AzureAuth::get_managed_token`], depending on whether `as_managed_identity` is TRUE.
+#' @param token An OAuth token obtained via `get_azure_token` or `get_managed_token`. If provided, this overrides the other authentication arguments.
 #'
 #' @details
 #' This function creates a new Key Vault client object. It includes the following component objects for working with data in the vault:
@ -91,7 +93,7 @@ AzureKeyVault <- R6::R6Class("AzureKeyVault", public=list(
 #' - `storage`: A sub-object for working with storage accounts managed by the vault. See [storage].
 #'
 #' @seealso
-#' [keys], [secrets], [certificates], [storage]
+#' [`keys`], [`secrets`], [`certificates`], [`storage`]
 #'
 #' [Azure Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/),
 #' [Azure Key Vault API reference](https://docs.microsoft.com/en-us/rest/api/keyvault)
@ -110,16 +112,29 @@ AzureKeyVault <- R6::R6Class("AzureKeyVault", public=list(
 #'                                     app="app_id", password="password")
 #' key_vault("mykeyvault", token=token)
 #'
+#' # authenticating with a system-assigned managed identity
+#' key_vault("mykeyvault", as_managed_identity=TRUE)
+#'
+#' # authenticating with a user-assigned managed identity:
+#' # - supply one of the identity's object ID, client ID or resource ID
+#' key_vault("mykeyvault", as_managed_identity=TRUE,
+#'     token_args=list(mi_res_id="/subscriptions/xxxx/resourceGroups/resgrpname/..."))
+#'
 #' }
 #' @export
-key_vault <- function(url, tenant="common", app=.az_cli_app_id, ..., domain="vault.azure.net", token=NULL)
+key_vault <- function(url, tenant="common", app=.az_cli_app_id, ..., domain="vault.azure.net",
+                      as_managed_identity=FALSE, token=NULL)
 {
    if(!is_url(url))
        url <- sprintf("https://%s.%s", url, domain)

    # "https://vault.azure.net/" (with trailing slash) will fail
    if(is.null(token))
-        token <- get_azure_token(sprintf("https://%s", domain), tenant=tenant, app=app, ...)
+    {
+        token <- if(as_managed_identity)
+            AzureAuth::get_managed_token(sprintf("https://%s", domain), ...)
+        else AzureAuth::get_azure_token(sprintf("https://%s", domain), tenant=tenant, app=app, ...)
+    }

    AzureKeyVault$new(token, httr::parse_url(url))
 }
--- a/man/AzureKeyVault.Rd
+++ b/man/AzureKeyVault.Rd
@ -4,12 +4,8 @@
 \name{AzureKeyVault}
 \alias{AzureKeyVault}
 \title{Azure Key Vault endpoint class}
-\format{An object of class \code{R6ClassGenerator} of length 25.}
-\usage{
-AzureKeyVault
-}
 \description{
-Class representing the client endpoint for a key vault, exposing methods for working with it. Use the \code{[key_vault]} function to instantiate new objects of this class.
+Class representing the client endpoint for a key vault, exposing methods for working with it. Use the \verb{[key_vault]} function to instantiate new objects of this class.
 }
 \section{Fields}{

@ -43,4 +39,3 @@ key_vault("mykeyvault", token=token)
 \href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
 \href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
 }
-\keyword{datasets}
--- a/man/az_key_vault.Rd
+++ b/man/az_key_vault.Rd
@ -4,10 +4,6 @@
 \name{az_key_vault}
 \alias{az_key_vault}
 \title{Key vault resource class}
-\format{An object of class \code{R6ClassGenerator} of length 25.}
-\usage{
-az_key_vault
-}
 \description{
 Class representing a key vault, exposing methods for working with it.
 }
@ -56,7 +52,7 @@ To revoke access, use the \code{remove_principal} method. To view the current ac

 \section{Endpoint}{

-The client-side interaction with a key vault is via its \emph{endpoint}, which is usually at the URL \code{https://[vaultname].vault.azure.net}. The \code{get_endpoint} method returns an R6 object of class \code{key_vault}, which represents the endpoint. Authenticating with the endpoint is done via an OAuth token; the necessary credentials are taken from the current Resource Manager client in use, or you can supply your own.\preformatted{get_endpoint(tenant = self$token$tenant,
+The client-side interaction with a key vault is via its \emph{endpoint}, which is usually at the URL \verb{https://[vaultname].vault.azure.net}. The \code{get_endpoint} method returns an R6 object of class \code{key_vault}, which represents the endpoint. Authenticating with the endpoint is done via an OAuth token; the necessary credentials are taken from the current Resource Manager client in use, or you can supply your own.\preformatted{get_endpoint(tenant = self$token$tenant,
             app = self$token$client$client_id,
             password = self$token$client$client_secret, ...)
 }
@ -105,9 +101,8 @@ vault <- kv$get_endpoint()
 \seealso{
 \link{vault_access_policy}, \link{key_vault}
 \link{create_key_vault}, \link{get_key_vault}, \link{delete_key_vault},
-\link[AzureGraph:get_graph_login]{AzureGraph::get_graph_login}, \link[AzureGraph:az_user]{AzureGraph::az_user}, \link[AzureGraph:az_app]{AzureGraph::az_app}, \link[AzureGraph:az_service_principal]{AzureGraph::az_service_principal}
+\link[AzureGraph:graph_login]{AzureGraph::get_graph_login}, \link[AzureGraph:az_user]{AzureGraph::az_user}, \link[AzureGraph:az_app]{AzureGraph::az_app}, \link[AzureGraph:az_service_principal]{AzureGraph::az_service_principal}

 \href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
 \href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
 }
-\keyword{datasets}
--- a/man/certificate.Rd
+++ b/man/certificate.Rd
@ -47,7 +47,7 @@ delete(confirm=TRUE)
 \item \code{file}: For \code{export} and \code{export_cer}, a connection object or a character string naming a file to export to.
 \item \code{digest}: For \code{sign}, a hash digest string to sign. For \code{verify}, a digest to compare to a signature.
 \item \code{signature}: For \code{verify}, a signature string.
-\item \code{subject,x509,issuer,key,secret_type,actions,wait}: These are the same arguments as used when creating a new certificate. See \link{certificates} for more information.
+\item \verb{subject,x509,issuer,key,secret_type,actions,wait}: These are the same arguments as used when creating a new certificate. See \link{certificates} for more information.
 \item \code{attributes}: For \code{update_attributes}, the new attributes for the object, such as the expiry date and activation date. A convenient way to provide this is via the \link{vault_object_attrs} helper function.
 \item \code{...}: For \code{update_attributes}, additional key-specific properties to update. For \code{sign} and \code{verify}, additional arguments for the corresponding key object methods. See \link{keys} and \link{key}.
 \item \code{version}: For \code{set_version}, the version ID or NULL for the current version.
--- a/man/create_key_vault.Rd
+++ b/man/create_key_vault.Rd
@ -17,7 +17,7 @@ Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} cl
 \itemize{
 \item \code{name}: The name of the key vault.
 \item \code{location}: The location/region in which to create the account. Defaults to the resource group location.
-\item \code{initial_access}: The user or service principals that will have access to the vault. This should be a list of objects of type \code{[vault_access_policy]}, created by the function of the same name. The default is to grant access to the logged-in user or service principal of the current Resource Manager client.
+\item \code{initial_access}: The user or service principals that will have access to the vault. This should be a list of objects of type \verb{[vault_access_policy]}, created by the function of the same name. The default is to grant access to the logged-in user or service principal of the current Resource Manager client.
 \item \code{sku}: The sku for the vault. Set this to "Premium" to enable the use of hardware security modules (HSMs).
 \item \code{allow_vm_access}: Whether to allow Azure virtual machines to retrieve certificates from the vault.
 \item \code{allow_arm_access}: Whether to allow Azure Resource Manager to retrieve secrets from the vault for template deployment purposes.
--- a/man/helpers.Rd
+++ b/man/helpers.Rd
@ -8,23 +8,34 @@
 \alias{vault_object_attrs}
 \title{Helper functions for key vault objects}
 \usage{
-cert_key_properties(type = c("RSA", "EC"), hardware = FALSE,
-  ec_curve = NULL, rsa_key_size = NULL, key_exportable = TRUE,
-  reuse_key = FALSE)
+cert_key_properties(
+  type = c("RSA", "EC"),
+  hardware = FALSE,
+  ec_curve = NULL,
+  rsa_key_size = NULL,
+  key_exportable = TRUE,
+  reuse_key = FALSE
+)

-cert_x509_properties(dns_names = character(), emails = character(),
-  upns = character(), key_usages = c("digitalSignature",
-  "keyEncipherment"), enhanced_key_usages = c("1.3.6.1.5.5.7.3.1",
-  "1.3.6.1.5.5.7.3.2"), validity_months = NULL)
+cert_x509_properties(
+  dns_names = character(),
+  emails = character(),
+  upns = character(),
+  key_usages = c("digitalSignature", "keyEncipherment"),
+  enhanced_key_usages = c("1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"),
+  validity_months = NULL
+)

-cert_issuer_properties(issuer = "self", cert_type = NULL,
-  transparent = NULL)
+cert_issuer_properties(issuer = "self", cert_type = NULL, transparent = NULL)

-cert_expiry_action(remaining = 0.1, action = c("AutoRenew",
-  "EmailContacts"))
+cert_expiry_action(remaining = 0.1, action = c("AutoRenew", "EmailContacts"))

-vault_object_attrs(enabled = TRUE, expiry_date = NULL,
-  activation_date = NULL, recovery_level = NULL)
+vault_object_attrs(
+  enabled = TRUE,
+  expiry_date = NULL,
+  activation_date = NULL,
+  recovery_level = NULL
+)
 }
 \arguments{
 \item{type}{For \code{cert_key_properties}, the type of key to create: RSA or elliptic curve (EC). Note that for keys backing a certificate, only RSA is allowed.}
--- a/man/key_vault.Rd
+++ b/man/key_vault.Rd
@ -4,17 +4,28 @@
 \alias{key_vault}
 \title{Azure Key Vault client}
 \usage{
-key_vault(url, tenant = "common", app = .az_cli_app_id, ...,
-  domain = "vault.azure.net", token = NULL)
+key_vault(
+  url,
+  tenant = "common",
+  app = .az_cli_app_id,
+  ...,
+  domain = "vault.azure.net",
+  as_managed_identity = FALSE,
+  token = NULL
+)
 }
 \arguments{
 \item{url}{The location of the vault. This can be a full URL, or the vault name alone; in the latter case, the \code{domain} argument is appended to obtain the URL.}

-\item{tenant, app, ...}{Authentication arguments that will be passed to \link[AzureAuth:get_azure_token]{AzureAuth::get_azure_token}. The default is to authenticate interactively.}
+\item{tenant, app, }{Authentication arguments that will be passed to \code{\link[AzureAuth:get_azure_token]{AzureAuth::get_azure_token}}. The default is to authenticate interactively.}
+
+\item{...}{Further arguments that will be passed to either \code{get_azure_token} or \code{\link[AzureAuth:get_azure_token]{AzureAuth::get_managed_token}}, depending on whether \code{as_managed_identity} is TRUE.}

 \item{domain}{The domain of the vault; for the public Azure cloud, this is \code{vault.azure.net}. Also the resource for OAuth authentication.}

-\item{token}{An OAuth token obtained via \link[AzureAuth:get_azure_token]{AzureAuth::get_azure_token}. If provided, this overrides the other authentication arguments.}
+\item{as_managed_identity}{Whether to authenticate as a managed identity. Use this if your R session is taking place inside an Azure VM or container that has a system- or user-assigned managed identity assigned to it.}
+
+\item{token}{An OAuth token obtained via \code{get_azure_token} or \code{get_managed_token}. If provided, this overrides the other authentication arguments.}
 }
 \description{
 Azure Key Vault client
@ -42,10 +53,18 @@ token <- AzureAuth::get_azure_token("https://vault.azure.net", "myaadtenant",
                                    app="app_id", password="password")
 key_vault("mykeyvault", token=token)

+# authenticating with a system-assigned managed identity
+key_vault("mykeyvault", as_managed_identity=TRUE)
+
+# authenticating with a user-assigned managed identity:
+# - supply one of the identity's object ID, client ID or resource ID
+key_vault("mykeyvault", as_managed_identity=TRUE,
+    token_args=list(mi_res_id="/subscriptions/xxxx/resourceGroups/resgrpname/..."))
+
 }
 }
 \seealso{
-\link{keys}, \link{secrets}, \link{certificates}, \link{storage}
+\code{\link{keys}}, \code{\link{secrets}}, \code{\link{certificates}}, \code{\link{storage}}

 \href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
 \href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
--- a/man/vault_access_policy.Rd
+++ b/man/vault_access_policy.Rd
@ -4,9 +4,14 @@
 \alias{vault_access_policy}
 \title{Specify a key vault access policy}
 \usage{
-vault_access_policy(principal, tenant = NULL, key_permissions = "all",
-  secret_permissions = "all", certificate_permissions = "all",
-  storage_permissions = "all")
+vault_access_policy(
+  principal,
+  tenant = NULL,
+  key_permissions = "all",
+  secret_permissions = "all",
+  certificate_permissions = "all",
+  storage_permissions = "all"
+)
 }
 \arguments{
 \item{principal}{The user or service principal for this access policy. Can be a GUID, or a user, app or service principal object from the AzureGraph package.}