зеркало из https://github.com/Azure/AzureKeyVault.git
Add as_managed_identity arg (#8)
Add `as_managed_identity` argument to `key_vault`, to allow authenticating with a managed identity from inside an Azure VM or container.
This commit is contained in:
Родитель
42ce0d0eef
Коммит
c97b9bee97
|
@ -27,5 +27,5 @@ Suggests:
|
||||||
knitr,
|
knitr,
|
||||||
rmarkdown,
|
rmarkdown,
|
||||||
testthat
|
testthat
|
||||||
Roxygen: list(markdown=TRUE)
|
Roxygen: list(markdown=TRUE, r6=FALSE)
|
||||||
RoxygenNote: 6.1.1
|
RoxygenNote: 7.1.1
|
||||||
|
|
4
NEWS.md
4
NEWS.md
|
@ -1,3 +1,7 @@
|
||||||
|
# AzureKeyVault 1.0.4.9000
|
||||||
|
|
||||||
|
- Add `as_managed_identity` argument to `key_vault`, to allow authenticating with a managed identity from inside an Azure VM or container.
|
||||||
|
|
||||||
# AzureKeyVault 1.0.4
|
# AzureKeyVault 1.0.4
|
||||||
|
|
||||||
- Change maintainer email address.
|
- Change maintainer email address.
|
||||||
|
|
|
@ -78,9 +78,11 @@ AzureKeyVault <- R6::R6Class("AzureKeyVault", public=list(
|
||||||
#' Azure Key Vault client
|
#' Azure Key Vault client
|
||||||
#'
|
#'
|
||||||
#' @param url The location of the vault. This can be a full URL, or the vault name alone; in the latter case, the `domain` argument is appended to obtain the URL.
|
#' @param url The location of the vault. This can be a full URL, or the vault name alone; in the latter case, the `domain` argument is appended to obtain the URL.
|
||||||
#' @param tenant,app,... Authentication arguments that will be passed to [AzureAuth::get_azure_token]. The default is to authenticate interactively.
|
#' @param tenant,app, Authentication arguments that will be passed to [`AzureAuth::get_azure_token`]. The default is to authenticate interactively.
|
||||||
#' @param domain The domain of the vault; for the public Azure cloud, this is `vault.azure.net`. Also the resource for OAuth authentication.
|
#' @param domain The domain of the vault; for the public Azure cloud, this is `vault.azure.net`. Also the resource for OAuth authentication.
|
||||||
#' @param token An OAuth token obtained via [AzureAuth::get_azure_token]. If provided, this overrides the other authentication arguments.
|
#' @param as_managed_identity Whether to authenticate as a managed identity. Use this if your R session is taking place inside an Azure VM or container that has a system- or user-assigned managed identity assigned to it.
|
||||||
|
#' @param ... Further arguments that will be passed to either `get_azure_token` or [`AzureAuth::get_managed_token`], depending on whether `as_managed_identity` is TRUE.
|
||||||
|
#' @param token An OAuth token obtained via `get_azure_token` or `get_managed_token`. If provided, this overrides the other authentication arguments.
|
||||||
#'
|
#'
|
||||||
#' @details
|
#' @details
|
||||||
#' This function creates a new Key Vault client object. It includes the following component objects for working with data in the vault:
|
#' This function creates a new Key Vault client object. It includes the following component objects for working with data in the vault:
|
||||||
|
@ -91,7 +93,7 @@ AzureKeyVault <- R6::R6Class("AzureKeyVault", public=list(
|
||||||
#' - `storage`: A sub-object for working with storage accounts managed by the vault. See [storage].
|
#' - `storage`: A sub-object for working with storage accounts managed by the vault. See [storage].
|
||||||
#'
|
#'
|
||||||
#' @seealso
|
#' @seealso
|
||||||
#' [keys], [secrets], [certificates], [storage]
|
#' [`keys`], [`secrets`], [`certificates`], [`storage`]
|
||||||
#'
|
#'
|
||||||
#' [Azure Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/),
|
#' [Azure Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/),
|
||||||
#' [Azure Key Vault API reference](https://docs.microsoft.com/en-us/rest/api/keyvault)
|
#' [Azure Key Vault API reference](https://docs.microsoft.com/en-us/rest/api/keyvault)
|
||||||
|
@ -110,16 +112,29 @@ AzureKeyVault <- R6::R6Class("AzureKeyVault", public=list(
|
||||||
#' app="app_id", password="password")
|
#' app="app_id", password="password")
|
||||||
#' key_vault("mykeyvault", token=token)
|
#' key_vault("mykeyvault", token=token)
|
||||||
#'
|
#'
|
||||||
|
#' # authenticating with a system-assigned managed identity
|
||||||
|
#' key_vault("mykeyvault", as_managed_identity=TRUE)
|
||||||
|
#'
|
||||||
|
#' # authenticating with a user-assigned managed identity:
|
||||||
|
#' # - supply one of the identity's object ID, client ID or resource ID
|
||||||
|
#' key_vault("mykeyvault", as_managed_identity=TRUE,
|
||||||
|
#' token_args=list(mi_res_id="/subscriptions/xxxx/resourceGroups/resgrpname/..."))
|
||||||
|
#'
|
||||||
#' }
|
#' }
|
||||||
#' @export
|
#' @export
|
||||||
key_vault <- function(url, tenant="common", app=.az_cli_app_id, ..., domain="vault.azure.net", token=NULL)
|
key_vault <- function(url, tenant="common", app=.az_cli_app_id, ..., domain="vault.azure.net",
|
||||||
|
as_managed_identity=FALSE, token=NULL)
|
||||||
{
|
{
|
||||||
if(!is_url(url))
|
if(!is_url(url))
|
||||||
url <- sprintf("https://%s.%s", url, domain)
|
url <- sprintf("https://%s.%s", url, domain)
|
||||||
|
|
||||||
# "https://vault.azure.net/" (with trailing slash) will fail
|
# "https://vault.azure.net/" (with trailing slash) will fail
|
||||||
if(is.null(token))
|
if(is.null(token))
|
||||||
token <- get_azure_token(sprintf("https://%s", domain), tenant=tenant, app=app, ...)
|
{
|
||||||
|
token <- if(as_managed_identity)
|
||||||
|
AzureAuth::get_managed_token(sprintf("https://%s", domain), ...)
|
||||||
|
else AzureAuth::get_azure_token(sprintf("https://%s", domain), tenant=tenant, app=app, ...)
|
||||||
|
}
|
||||||
|
|
||||||
AzureKeyVault$new(token, httr::parse_url(url))
|
AzureKeyVault$new(token, httr::parse_url(url))
|
||||||
}
|
}
|
||||||
|
|
|
@ -4,12 +4,8 @@
|
||||||
\name{AzureKeyVault}
|
\name{AzureKeyVault}
|
||||||
\alias{AzureKeyVault}
|
\alias{AzureKeyVault}
|
||||||
\title{Azure Key Vault endpoint class}
|
\title{Azure Key Vault endpoint class}
|
||||||
\format{An object of class \code{R6ClassGenerator} of length 25.}
|
|
||||||
\usage{
|
|
||||||
AzureKeyVault
|
|
||||||
}
|
|
||||||
\description{
|
\description{
|
||||||
Class representing the client endpoint for a key vault, exposing methods for working with it. Use the \code{[key_vault]} function to instantiate new objects of this class.
|
Class representing the client endpoint for a key vault, exposing methods for working with it. Use the \verb{[key_vault]} function to instantiate new objects of this class.
|
||||||
}
|
}
|
||||||
\section{Fields}{
|
\section{Fields}{
|
||||||
|
|
||||||
|
@ -43,4 +39,3 @@ key_vault("mykeyvault", token=token)
|
||||||
\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
|
\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
|
||||||
\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
|
\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
|
||||||
}
|
}
|
||||||
\keyword{datasets}
|
|
||||||
|
|
|
@ -4,10 +4,6 @@
|
||||||
\name{az_key_vault}
|
\name{az_key_vault}
|
||||||
\alias{az_key_vault}
|
\alias{az_key_vault}
|
||||||
\title{Key vault resource class}
|
\title{Key vault resource class}
|
||||||
\format{An object of class \code{R6ClassGenerator} of length 25.}
|
|
||||||
\usage{
|
|
||||||
az_key_vault
|
|
||||||
}
|
|
||||||
\description{
|
\description{
|
||||||
Class representing a key vault, exposing methods for working with it.
|
Class representing a key vault, exposing methods for working with it.
|
||||||
}
|
}
|
||||||
|
@ -56,7 +52,7 @@ To revoke access, use the \code{remove_principal} method. To view the current ac
|
||||||
|
|
||||||
\section{Endpoint}{
|
\section{Endpoint}{
|
||||||
|
|
||||||
The client-side interaction with a key vault is via its \emph{endpoint}, which is usually at the URL \code{https://[vaultname].vault.azure.net}. The \code{get_endpoint} method returns an R6 object of class \code{key_vault}, which represents the endpoint. Authenticating with the endpoint is done via an OAuth token; the necessary credentials are taken from the current Resource Manager client in use, or you can supply your own.\preformatted{get_endpoint(tenant = self$token$tenant,
|
The client-side interaction with a key vault is via its \emph{endpoint}, which is usually at the URL \verb{https://[vaultname].vault.azure.net}. The \code{get_endpoint} method returns an R6 object of class \code{key_vault}, which represents the endpoint. Authenticating with the endpoint is done via an OAuth token; the necessary credentials are taken from the current Resource Manager client in use, or you can supply your own.\preformatted{get_endpoint(tenant = self$token$tenant,
|
||||||
app = self$token$client$client_id,
|
app = self$token$client$client_id,
|
||||||
password = self$token$client$client_secret, ...)
|
password = self$token$client$client_secret, ...)
|
||||||
}
|
}
|
||||||
|
@ -105,9 +101,8 @@ vault <- kv$get_endpoint()
|
||||||
\seealso{
|
\seealso{
|
||||||
\link{vault_access_policy}, \link{key_vault}
|
\link{vault_access_policy}, \link{key_vault}
|
||||||
\link{create_key_vault}, \link{get_key_vault}, \link{delete_key_vault},
|
\link{create_key_vault}, \link{get_key_vault}, \link{delete_key_vault},
|
||||||
\link[AzureGraph:get_graph_login]{AzureGraph::get_graph_login}, \link[AzureGraph:az_user]{AzureGraph::az_user}, \link[AzureGraph:az_app]{AzureGraph::az_app}, \link[AzureGraph:az_service_principal]{AzureGraph::az_service_principal}
|
\link[AzureGraph:graph_login]{AzureGraph::get_graph_login}, \link[AzureGraph:az_user]{AzureGraph::az_user}, \link[AzureGraph:az_app]{AzureGraph::az_app}, \link[AzureGraph:az_service_principal]{AzureGraph::az_service_principal}
|
||||||
|
|
||||||
\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
|
\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
|
||||||
\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
|
\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
|
||||||
}
|
}
|
||||||
\keyword{datasets}
|
|
||||||
|
|
|
@ -47,7 +47,7 @@ delete(confirm=TRUE)
|
||||||
\item \code{file}: For \code{export} and \code{export_cer}, a connection object or a character string naming a file to export to.
|
\item \code{file}: For \code{export} and \code{export_cer}, a connection object or a character string naming a file to export to.
|
||||||
\item \code{digest}: For \code{sign}, a hash digest string to sign. For \code{verify}, a digest to compare to a signature.
|
\item \code{digest}: For \code{sign}, a hash digest string to sign. For \code{verify}, a digest to compare to a signature.
|
||||||
\item \code{signature}: For \code{verify}, a signature string.
|
\item \code{signature}: For \code{verify}, a signature string.
|
||||||
\item \code{subject,x509,issuer,key,secret_type,actions,wait}: These are the same arguments as used when creating a new certificate. See \link{certificates} for more information.
|
\item \verb{subject,x509,issuer,key,secret_type,actions,wait}: These are the same arguments as used when creating a new certificate. See \link{certificates} for more information.
|
||||||
\item \code{attributes}: For \code{update_attributes}, the new attributes for the object, such as the expiry date and activation date. A convenient way to provide this is via the \link{vault_object_attrs} helper function.
|
\item \code{attributes}: For \code{update_attributes}, the new attributes for the object, such as the expiry date and activation date. A convenient way to provide this is via the \link{vault_object_attrs} helper function.
|
||||||
\item \code{...}: For \code{update_attributes}, additional key-specific properties to update. For \code{sign} and \code{verify}, additional arguments for the corresponding key object methods. See \link{keys} and \link{key}.
|
\item \code{...}: For \code{update_attributes}, additional key-specific properties to update. For \code{sign} and \code{verify}, additional arguments for the corresponding key object methods. See \link{keys} and \link{key}.
|
||||||
\item \code{version}: For \code{set_version}, the version ID or NULL for the current version.
|
\item \code{version}: For \code{set_version}, the version ID or NULL for the current version.
|
||||||
|
|
|
@ -17,7 +17,7 @@ Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} cl
|
||||||
\itemize{
|
\itemize{
|
||||||
\item \code{name}: The name of the key vault.
|
\item \code{name}: The name of the key vault.
|
||||||
\item \code{location}: The location/region in which to create the account. Defaults to the resource group location.
|
\item \code{location}: The location/region in which to create the account. Defaults to the resource group location.
|
||||||
\item \code{initial_access}: The user or service principals that will have access to the vault. This should be a list of objects of type \code{[vault_access_policy]}, created by the function of the same name. The default is to grant access to the logged-in user or service principal of the current Resource Manager client.
|
\item \code{initial_access}: The user or service principals that will have access to the vault. This should be a list of objects of type \verb{[vault_access_policy]}, created by the function of the same name. The default is to grant access to the logged-in user or service principal of the current Resource Manager client.
|
||||||
\item \code{sku}: The sku for the vault. Set this to "Premium" to enable the use of hardware security modules (HSMs).
|
\item \code{sku}: The sku for the vault. Set this to "Premium" to enable the use of hardware security modules (HSMs).
|
||||||
\item \code{allow_vm_access}: Whether to allow Azure virtual machines to retrieve certificates from the vault.
|
\item \code{allow_vm_access}: Whether to allow Azure virtual machines to retrieve certificates from the vault.
|
||||||
\item \code{allow_arm_access}: Whether to allow Azure Resource Manager to retrieve secrets from the vault for template deployment purposes.
|
\item \code{allow_arm_access}: Whether to allow Azure Resource Manager to retrieve secrets from the vault for template deployment purposes.
|
||||||
|
|
|
@ -8,23 +8,34 @@
|
||||||
\alias{vault_object_attrs}
|
\alias{vault_object_attrs}
|
||||||
\title{Helper functions for key vault objects}
|
\title{Helper functions for key vault objects}
|
||||||
\usage{
|
\usage{
|
||||||
cert_key_properties(type = c("RSA", "EC"), hardware = FALSE,
|
cert_key_properties(
|
||||||
ec_curve = NULL, rsa_key_size = NULL, key_exportable = TRUE,
|
type = c("RSA", "EC"),
|
||||||
reuse_key = FALSE)
|
hardware = FALSE,
|
||||||
|
ec_curve = NULL,
|
||||||
|
rsa_key_size = NULL,
|
||||||
|
key_exportable = TRUE,
|
||||||
|
reuse_key = FALSE
|
||||||
|
)
|
||||||
|
|
||||||
cert_x509_properties(dns_names = character(), emails = character(),
|
cert_x509_properties(
|
||||||
upns = character(), key_usages = c("digitalSignature",
|
dns_names = character(),
|
||||||
"keyEncipherment"), enhanced_key_usages = c("1.3.6.1.5.5.7.3.1",
|
emails = character(),
|
||||||
"1.3.6.1.5.5.7.3.2"), validity_months = NULL)
|
upns = character(),
|
||||||
|
key_usages = c("digitalSignature", "keyEncipherment"),
|
||||||
|
enhanced_key_usages = c("1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"),
|
||||||
|
validity_months = NULL
|
||||||
|
)
|
||||||
|
|
||||||
cert_issuer_properties(issuer = "self", cert_type = NULL,
|
cert_issuer_properties(issuer = "self", cert_type = NULL, transparent = NULL)
|
||||||
transparent = NULL)
|
|
||||||
|
|
||||||
cert_expiry_action(remaining = 0.1, action = c("AutoRenew",
|
cert_expiry_action(remaining = 0.1, action = c("AutoRenew", "EmailContacts"))
|
||||||
"EmailContacts"))
|
|
||||||
|
|
||||||
vault_object_attrs(enabled = TRUE, expiry_date = NULL,
|
vault_object_attrs(
|
||||||
activation_date = NULL, recovery_level = NULL)
|
enabled = TRUE,
|
||||||
|
expiry_date = NULL,
|
||||||
|
activation_date = NULL,
|
||||||
|
recovery_level = NULL
|
||||||
|
)
|
||||||
}
|
}
|
||||||
\arguments{
|
\arguments{
|
||||||
\item{type}{For \code{cert_key_properties}, the type of key to create: RSA or elliptic curve (EC). Note that for keys backing a certificate, only RSA is allowed.}
|
\item{type}{For \code{cert_key_properties}, the type of key to create: RSA or elliptic curve (EC). Note that for keys backing a certificate, only RSA is allowed.}
|
||||||
|
|
|
@ -4,17 +4,28 @@
|
||||||
\alias{key_vault}
|
\alias{key_vault}
|
||||||
\title{Azure Key Vault client}
|
\title{Azure Key Vault client}
|
||||||
\usage{
|
\usage{
|
||||||
key_vault(url, tenant = "common", app = .az_cli_app_id, ...,
|
key_vault(
|
||||||
domain = "vault.azure.net", token = NULL)
|
url,
|
||||||
|
tenant = "common",
|
||||||
|
app = .az_cli_app_id,
|
||||||
|
...,
|
||||||
|
domain = "vault.azure.net",
|
||||||
|
as_managed_identity = FALSE,
|
||||||
|
token = NULL
|
||||||
|
)
|
||||||
}
|
}
|
||||||
\arguments{
|
\arguments{
|
||||||
\item{url}{The location of the vault. This can be a full URL, or the vault name alone; in the latter case, the \code{domain} argument is appended to obtain the URL.}
|
\item{url}{The location of the vault. This can be a full URL, or the vault name alone; in the latter case, the \code{domain} argument is appended to obtain the URL.}
|
||||||
|
|
||||||
\item{tenant, app, ...}{Authentication arguments that will be passed to \link[AzureAuth:get_azure_token]{AzureAuth::get_azure_token}. The default is to authenticate interactively.}
|
\item{tenant, app, }{Authentication arguments that will be passed to \code{\link[AzureAuth:get_azure_token]{AzureAuth::get_azure_token}}. The default is to authenticate interactively.}
|
||||||
|
|
||||||
|
\item{...}{Further arguments that will be passed to either \code{get_azure_token} or \code{\link[AzureAuth:get_azure_token]{AzureAuth::get_managed_token}}, depending on whether \code{as_managed_identity} is TRUE.}
|
||||||
|
|
||||||
\item{domain}{The domain of the vault; for the public Azure cloud, this is \code{vault.azure.net}. Also the resource for OAuth authentication.}
|
\item{domain}{The domain of the vault; for the public Azure cloud, this is \code{vault.azure.net}. Also the resource for OAuth authentication.}
|
||||||
|
|
||||||
\item{token}{An OAuth token obtained via \link[AzureAuth:get_azure_token]{AzureAuth::get_azure_token}. If provided, this overrides the other authentication arguments.}
|
\item{as_managed_identity}{Whether to authenticate as a managed identity. Use this if your R session is taking place inside an Azure VM or container that has a system- or user-assigned managed identity assigned to it.}
|
||||||
|
|
||||||
|
\item{token}{An OAuth token obtained via \code{get_azure_token} or \code{get_managed_token}. If provided, this overrides the other authentication arguments.}
|
||||||
}
|
}
|
||||||
\description{
|
\description{
|
||||||
Azure Key Vault client
|
Azure Key Vault client
|
||||||
|
@ -42,10 +53,18 @@ token <- AzureAuth::get_azure_token("https://vault.azure.net", "myaadtenant",
|
||||||
app="app_id", password="password")
|
app="app_id", password="password")
|
||||||
key_vault("mykeyvault", token=token)
|
key_vault("mykeyvault", token=token)
|
||||||
|
|
||||||
|
# authenticating with a system-assigned managed identity
|
||||||
|
key_vault("mykeyvault", as_managed_identity=TRUE)
|
||||||
|
|
||||||
|
# authenticating with a user-assigned managed identity:
|
||||||
|
# - supply one of the identity's object ID, client ID or resource ID
|
||||||
|
key_vault("mykeyvault", as_managed_identity=TRUE,
|
||||||
|
token_args=list(mi_res_id="/subscriptions/xxxx/resourceGroups/resgrpname/..."))
|
||||||
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
\seealso{
|
\seealso{
|
||||||
\link{keys}, \link{secrets}, \link{certificates}, \link{storage}
|
\code{\link{keys}}, \code{\link{secrets}}, \code{\link{certificates}}, \code{\link{storage}}
|
||||||
|
|
||||||
\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
|
\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
|
||||||
\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
|
\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
|
||||||
|
|
|
@ -4,9 +4,14 @@
|
||||||
\alias{vault_access_policy}
|
\alias{vault_access_policy}
|
||||||
\title{Specify a key vault access policy}
|
\title{Specify a key vault access policy}
|
||||||
\usage{
|
\usage{
|
||||||
vault_access_policy(principal, tenant = NULL, key_permissions = "all",
|
vault_access_policy(
|
||||||
secret_permissions = "all", certificate_permissions = "all",
|
principal,
|
||||||
storage_permissions = "all")
|
tenant = NULL,
|
||||||
|
key_permissions = "all",
|
||||||
|
secret_permissions = "all",
|
||||||
|
certificate_permissions = "all",
|
||||||
|
storage_permissions = "all"
|
||||||
|
)
|
||||||
}
|
}
|
||||||
\arguments{
|
\arguments{
|
||||||
\item{principal}{The user or service principal for this access policy. Can be a GUID, or a user, app or service principal object from the AzureGraph package.}
|
\item{principal}{The user or service principal for this access policy. Can be a GUID, or a user, app or service principal object from the AzureGraph package.}
|
||||||
|
|
Загрузка…
Ссылка в новой задаче