Add `as_managed_identity` argument to `key_vault`, to allow authenticating with a managed identity from inside an Azure VM or container.
This commit is contained in:
Hong Ooi 2021-09-11 02:14:49 +10:00 коммит произвёл GitHub
Родитель 42ce0d0eef
Коммит c97b9bee97
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
10 изменённых файлов: 87 добавлений и 43 удалений

Просмотреть файл

@ -27,5 +27,5 @@ Suggests:
knitr, knitr,
rmarkdown, rmarkdown,
testthat testthat
Roxygen: list(markdown=TRUE) Roxygen: list(markdown=TRUE, r6=FALSE)
RoxygenNote: 6.1.1 RoxygenNote: 7.1.1

Просмотреть файл

@ -1,3 +1,7 @@
# AzureKeyVault 1.0.4.9000
- Add `as_managed_identity` argument to `key_vault`, to allow authenticating with a managed identity from inside an Azure VM or container.
# AzureKeyVault 1.0.4 # AzureKeyVault 1.0.4
- Change maintainer email address. - Change maintainer email address.

Просмотреть файл

@ -78,9 +78,11 @@ AzureKeyVault <- R6::R6Class("AzureKeyVault", public=list(
#' Azure Key Vault client #' Azure Key Vault client
#' #'
#' @param url The location of the vault. This can be a full URL, or the vault name alone; in the latter case, the `domain` argument is appended to obtain the URL. #' @param url The location of the vault. This can be a full URL, or the vault name alone; in the latter case, the `domain` argument is appended to obtain the URL.
#' @param tenant,app,... Authentication arguments that will be passed to [AzureAuth::get_azure_token]. The default is to authenticate interactively. #' @param tenant,app, Authentication arguments that will be passed to [`AzureAuth::get_azure_token`]. The default is to authenticate interactively.
#' @param domain The domain of the vault; for the public Azure cloud, this is `vault.azure.net`. Also the resource for OAuth authentication. #' @param domain The domain of the vault; for the public Azure cloud, this is `vault.azure.net`. Also the resource for OAuth authentication.
#' @param token An OAuth token obtained via [AzureAuth::get_azure_token]. If provided, this overrides the other authentication arguments. #' @param as_managed_identity Whether to authenticate as a managed identity. Use this if your R session is taking place inside an Azure VM or container that has a system- or user-assigned managed identity assigned to it.
#' @param ... Further arguments that will be passed to either `get_azure_token` or [`AzureAuth::get_managed_token`], depending on whether `as_managed_identity` is TRUE.
#' @param token An OAuth token obtained via `get_azure_token` or `get_managed_token`. If provided, this overrides the other authentication arguments.
#' #'
#' @details #' @details
#' This function creates a new Key Vault client object. It includes the following component objects for working with data in the vault: #' This function creates a new Key Vault client object. It includes the following component objects for working with data in the vault:
@ -91,7 +93,7 @@ AzureKeyVault <- R6::R6Class("AzureKeyVault", public=list(
#' - `storage`: A sub-object for working with storage accounts managed by the vault. See [storage]. #' - `storage`: A sub-object for working with storage accounts managed by the vault. See [storage].
#' #'
#' @seealso #' @seealso
#' [keys], [secrets], [certificates], [storage] #' [`keys`], [`secrets`], [`certificates`], [`storage`]
#' #'
#' [Azure Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/), #' [Azure Key Vault documentation](https://docs.microsoft.com/en-us/azure/key-vault/),
#' [Azure Key Vault API reference](https://docs.microsoft.com/en-us/rest/api/keyvault) #' [Azure Key Vault API reference](https://docs.microsoft.com/en-us/rest/api/keyvault)
@ -110,16 +112,29 @@ AzureKeyVault <- R6::R6Class("AzureKeyVault", public=list(
#' app="app_id", password="password") #' app="app_id", password="password")
#' key_vault("mykeyvault", token=token) #' key_vault("mykeyvault", token=token)
#' #'
#' # authenticating with a system-assigned managed identity
#' key_vault("mykeyvault", as_managed_identity=TRUE)
#'
#' # authenticating with a user-assigned managed identity:
#' # - supply one of the identity's object ID, client ID or resource ID
#' key_vault("mykeyvault", as_managed_identity=TRUE,
#' token_args=list(mi_res_id="/subscriptions/xxxx/resourceGroups/resgrpname/..."))
#'
#' } #' }
#' @export #' @export
key_vault <- function(url, tenant="common", app=.az_cli_app_id, ..., domain="vault.azure.net", token=NULL) key_vault <- function(url, tenant="common", app=.az_cli_app_id, ..., domain="vault.azure.net",
as_managed_identity=FALSE, token=NULL)
{ {
if(!is_url(url)) if(!is_url(url))
url <- sprintf("https://%s.%s", url, domain) url <- sprintf("https://%s.%s", url, domain)
# "https://vault.azure.net/" (with trailing slash) will fail # "https://vault.azure.net/" (with trailing slash) will fail
if(is.null(token)) if(is.null(token))
token <- get_azure_token(sprintf("https://%s", domain), tenant=tenant, app=app, ...) {
token <- if(as_managed_identity)
AzureAuth::get_managed_token(sprintf("https://%s", domain), ...)
else AzureAuth::get_azure_token(sprintf("https://%s", domain), tenant=tenant, app=app, ...)
}
AzureKeyVault$new(token, httr::parse_url(url)) AzureKeyVault$new(token, httr::parse_url(url))
} }

Просмотреть файл

@ -4,12 +4,8 @@
\name{AzureKeyVault} \name{AzureKeyVault}
\alias{AzureKeyVault} \alias{AzureKeyVault}
\title{Azure Key Vault endpoint class} \title{Azure Key Vault endpoint class}
\format{An object of class \code{R6ClassGenerator} of length 25.}
\usage{
AzureKeyVault
}
\description{ \description{
Class representing the client endpoint for a key vault, exposing methods for working with it. Use the \code{[key_vault]} function to instantiate new objects of this class. Class representing the client endpoint for a key vault, exposing methods for working with it. Use the \verb{[key_vault]} function to instantiate new objects of this class.
} }
\section{Fields}{ \section{Fields}{
@ -43,4 +39,3 @@ key_vault("mykeyvault", token=token)
\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation}, \href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference} \href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
} }
\keyword{datasets}

Просмотреть файл

@ -4,10 +4,6 @@
\name{az_key_vault} \name{az_key_vault}
\alias{az_key_vault} \alias{az_key_vault}
\title{Key vault resource class} \title{Key vault resource class}
\format{An object of class \code{R6ClassGenerator} of length 25.}
\usage{
az_key_vault
}
\description{ \description{
Class representing a key vault, exposing methods for working with it. Class representing a key vault, exposing methods for working with it.
} }
@ -56,7 +52,7 @@ To revoke access, use the \code{remove_principal} method. To view the current ac
\section{Endpoint}{ \section{Endpoint}{
The client-side interaction with a key vault is via its \emph{endpoint}, which is usually at the URL \code{https://[vaultname].vault.azure.net}. The \code{get_endpoint} method returns an R6 object of class \code{key_vault}, which represents the endpoint. Authenticating with the endpoint is done via an OAuth token; the necessary credentials are taken from the current Resource Manager client in use, or you can supply your own.\preformatted{get_endpoint(tenant = self$token$tenant, The client-side interaction with a key vault is via its \emph{endpoint}, which is usually at the URL \verb{https://[vaultname].vault.azure.net}. The \code{get_endpoint} method returns an R6 object of class \code{key_vault}, which represents the endpoint. Authenticating with the endpoint is done via an OAuth token; the necessary credentials are taken from the current Resource Manager client in use, or you can supply your own.\preformatted{get_endpoint(tenant = self$token$tenant,
app = self$token$client$client_id, app = self$token$client$client_id,
password = self$token$client$client_secret, ...) password = self$token$client$client_secret, ...)
} }
@ -105,9 +101,8 @@ vault <- kv$get_endpoint()
\seealso{ \seealso{
\link{vault_access_policy}, \link{key_vault} \link{vault_access_policy}, \link{key_vault}
\link{create_key_vault}, \link{get_key_vault}, \link{delete_key_vault}, \link{create_key_vault}, \link{get_key_vault}, \link{delete_key_vault},
\link[AzureGraph:get_graph_login]{AzureGraph::get_graph_login}, \link[AzureGraph:az_user]{AzureGraph::az_user}, \link[AzureGraph:az_app]{AzureGraph::az_app}, \link[AzureGraph:az_service_principal]{AzureGraph::az_service_principal} \link[AzureGraph:graph_login]{AzureGraph::get_graph_login}, \link[AzureGraph:az_user]{AzureGraph::az_user}, \link[AzureGraph:az_app]{AzureGraph::az_app}, \link[AzureGraph:az_service_principal]{AzureGraph::az_service_principal}
\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation}, \href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference} \href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}
} }
\keyword{datasets}

Просмотреть файл

@ -47,7 +47,7 @@ delete(confirm=TRUE)
\item \code{file}: For \code{export} and \code{export_cer}, a connection object or a character string naming a file to export to. \item \code{file}: For \code{export} and \code{export_cer}, a connection object or a character string naming a file to export to.
\item \code{digest}: For \code{sign}, a hash digest string to sign. For \code{verify}, a digest to compare to a signature. \item \code{digest}: For \code{sign}, a hash digest string to sign. For \code{verify}, a digest to compare to a signature.
\item \code{signature}: For \code{verify}, a signature string. \item \code{signature}: For \code{verify}, a signature string.
\item \code{subject,x509,issuer,key,secret_type,actions,wait}: These are the same arguments as used when creating a new certificate. See \link{certificates} for more information. \item \verb{subject,x509,issuer,key,secret_type,actions,wait}: These are the same arguments as used when creating a new certificate. See \link{certificates} for more information.
\item \code{attributes}: For \code{update_attributes}, the new attributes for the object, such as the expiry date and activation date. A convenient way to provide this is via the \link{vault_object_attrs} helper function. \item \code{attributes}: For \code{update_attributes}, the new attributes for the object, such as the expiry date and activation date. A convenient way to provide this is via the \link{vault_object_attrs} helper function.
\item \code{...}: For \code{update_attributes}, additional key-specific properties to update. For \code{sign} and \code{verify}, additional arguments for the corresponding key object methods. See \link{keys} and \link{key}. \item \code{...}: For \code{update_attributes}, additional key-specific properties to update. For \code{sign} and \code{verify}, additional arguments for the corresponding key object methods. See \link{keys} and \link{key}.
\item \code{version}: For \code{set_version}, the version ID or NULL for the current version. \item \code{version}: For \code{set_version}, the version ID or NULL for the current version.

Просмотреть файл

@ -17,7 +17,7 @@ Method for the \link[AzureRMR:az_resource_group]{AzureRMR::az_resource_group} cl
\itemize{ \itemize{
\item \code{name}: The name of the key vault. \item \code{name}: The name of the key vault.
\item \code{location}: The location/region in which to create the account. Defaults to the resource group location. \item \code{location}: The location/region in which to create the account. Defaults to the resource group location.
\item \code{initial_access}: The user or service principals that will have access to the vault. This should be a list of objects of type \code{[vault_access_policy]}, created by the function of the same name. The default is to grant access to the logged-in user or service principal of the current Resource Manager client. \item \code{initial_access}: The user or service principals that will have access to the vault. This should be a list of objects of type \verb{[vault_access_policy]}, created by the function of the same name. The default is to grant access to the logged-in user or service principal of the current Resource Manager client.
\item \code{sku}: The sku for the vault. Set this to "Premium" to enable the use of hardware security modules (HSMs). \item \code{sku}: The sku for the vault. Set this to "Premium" to enable the use of hardware security modules (HSMs).
\item \code{allow_vm_access}: Whether to allow Azure virtual machines to retrieve certificates from the vault. \item \code{allow_vm_access}: Whether to allow Azure virtual machines to retrieve certificates from the vault.
\item \code{allow_arm_access}: Whether to allow Azure Resource Manager to retrieve secrets from the vault for template deployment purposes. \item \code{allow_arm_access}: Whether to allow Azure Resource Manager to retrieve secrets from the vault for template deployment purposes.

Просмотреть файл

@ -8,23 +8,34 @@
\alias{vault_object_attrs} \alias{vault_object_attrs}
\title{Helper functions for key vault objects} \title{Helper functions for key vault objects}
\usage{ \usage{
cert_key_properties(type = c("RSA", "EC"), hardware = FALSE, cert_key_properties(
ec_curve = NULL, rsa_key_size = NULL, key_exportable = TRUE, type = c("RSA", "EC"),
reuse_key = FALSE) hardware = FALSE,
ec_curve = NULL,
rsa_key_size = NULL,
key_exportable = TRUE,
reuse_key = FALSE
)
cert_x509_properties(dns_names = character(), emails = character(), cert_x509_properties(
upns = character(), key_usages = c("digitalSignature", dns_names = character(),
"keyEncipherment"), enhanced_key_usages = c("1.3.6.1.5.5.7.3.1", emails = character(),
"1.3.6.1.5.5.7.3.2"), validity_months = NULL) upns = character(),
key_usages = c("digitalSignature", "keyEncipherment"),
enhanced_key_usages = c("1.3.6.1.5.5.7.3.1", "1.3.6.1.5.5.7.3.2"),
validity_months = NULL
)
cert_issuer_properties(issuer = "self", cert_type = NULL, cert_issuer_properties(issuer = "self", cert_type = NULL, transparent = NULL)
transparent = NULL)
cert_expiry_action(remaining = 0.1, action = c("AutoRenew", cert_expiry_action(remaining = 0.1, action = c("AutoRenew", "EmailContacts"))
"EmailContacts"))
vault_object_attrs(enabled = TRUE, expiry_date = NULL, vault_object_attrs(
activation_date = NULL, recovery_level = NULL) enabled = TRUE,
expiry_date = NULL,
activation_date = NULL,
recovery_level = NULL
)
} }
\arguments{ \arguments{
\item{type}{For \code{cert_key_properties}, the type of key to create: RSA or elliptic curve (EC). Note that for keys backing a certificate, only RSA is allowed.} \item{type}{For \code{cert_key_properties}, the type of key to create: RSA or elliptic curve (EC). Note that for keys backing a certificate, only RSA is allowed.}

Просмотреть файл

@ -4,17 +4,28 @@
\alias{key_vault} \alias{key_vault}
\title{Azure Key Vault client} \title{Azure Key Vault client}
\usage{ \usage{
key_vault(url, tenant = "common", app = .az_cli_app_id, ..., key_vault(
domain = "vault.azure.net", token = NULL) url,
tenant = "common",
app = .az_cli_app_id,
...,
domain = "vault.azure.net",
as_managed_identity = FALSE,
token = NULL
)
} }
\arguments{ \arguments{
\item{url}{The location of the vault. This can be a full URL, or the vault name alone; in the latter case, the \code{domain} argument is appended to obtain the URL.} \item{url}{The location of the vault. This can be a full URL, or the vault name alone; in the latter case, the \code{domain} argument is appended to obtain the URL.}
\item{tenant, app, ...}{Authentication arguments that will be passed to \link[AzureAuth:get_azure_token]{AzureAuth::get_azure_token}. The default is to authenticate interactively.} \item{tenant, app, }{Authentication arguments that will be passed to \code{\link[AzureAuth:get_azure_token]{AzureAuth::get_azure_token}}. The default is to authenticate interactively.}
\item{...}{Further arguments that will be passed to either \code{get_azure_token} or \code{\link[AzureAuth:get_azure_token]{AzureAuth::get_managed_token}}, depending on whether \code{as_managed_identity} is TRUE.}
\item{domain}{The domain of the vault; for the public Azure cloud, this is \code{vault.azure.net}. Also the resource for OAuth authentication.} \item{domain}{The domain of the vault; for the public Azure cloud, this is \code{vault.azure.net}. Also the resource for OAuth authentication.}
\item{token}{An OAuth token obtained via \link[AzureAuth:get_azure_token]{AzureAuth::get_azure_token}. If provided, this overrides the other authentication arguments.} \item{as_managed_identity}{Whether to authenticate as a managed identity. Use this if your R session is taking place inside an Azure VM or container that has a system- or user-assigned managed identity assigned to it.}
\item{token}{An OAuth token obtained via \code{get_azure_token} or \code{get_managed_token}. If provided, this overrides the other authentication arguments.}
} }
\description{ \description{
Azure Key Vault client Azure Key Vault client
@ -42,10 +53,18 @@ token <- AzureAuth::get_azure_token("https://vault.azure.net", "myaadtenant",
app="app_id", password="password") app="app_id", password="password")
key_vault("mykeyvault", token=token) key_vault("mykeyvault", token=token)
# authenticating with a system-assigned managed identity
key_vault("mykeyvault", as_managed_identity=TRUE)
# authenticating with a user-assigned managed identity:
# - supply one of the identity's object ID, client ID or resource ID
key_vault("mykeyvault", as_managed_identity=TRUE,
token_args=list(mi_res_id="/subscriptions/xxxx/resourceGroups/resgrpname/..."))
} }
} }
\seealso{ \seealso{
\link{keys}, \link{secrets}, \link{certificates}, \link{storage} \code{\link{keys}}, \code{\link{secrets}}, \code{\link{certificates}}, \code{\link{storage}}
\href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation}, \href{https://docs.microsoft.com/en-us/azure/key-vault/}{Azure Key Vault documentation},
\href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference} \href{https://docs.microsoft.com/en-us/rest/api/keyvault}{Azure Key Vault API reference}

Просмотреть файл

@ -4,9 +4,14 @@
\alias{vault_access_policy} \alias{vault_access_policy}
\title{Specify a key vault access policy} \title{Specify a key vault access policy}
\usage{ \usage{
vault_access_policy(principal, tenant = NULL, key_permissions = "all", vault_access_policy(
secret_permissions = "all", certificate_permissions = "all", principal,
storage_permissions = "all") tenant = NULL,
key_permissions = "all",
secret_permissions = "all",
certificate_permissions = "all",
storage_permissions = "all"
)
} }
\arguments{ \arguments{
\item{principal}{The user or service principal for this access policy. Can be a GUID, or a user, app or service principal object from the AzureGraph package.} \item{principal}{The user or service principal for this access policy. Can be a GUID, or a user, app or service principal object from the AzureGraph package.}