Implementing support to specify the managed identity or system assigned managed identity

2022-12-08 11:41:18 -07:00 · 2022-12-08 11:41:18 -07:00 · 106f6b6e43
--- a/README.md
+++ b/README.md
@ -1,7 +1,6 @@
 # keyvaultcertdownloader

-Source code for a tool that performs downloads managed certificates from KeyVault in PEM file format, these certificates can
-be self-signed or issued by an Azure KeyVault integrated CA (e.g. Digicert).
+Source code for a tool that performs downloads managed certificates from KeyVault in PEM file format, these certificates can be self-signed or issued by an Azure KeyVault integrated CA (e.g. Digicert).

 > Note: This tool is provided as sample code purposes only, no support of any kind will be provided, for more details, please see [LICENSE](./LICENSE).

@ -37,7 +36,11 @@ Finally, if the certificate from is new, it then extracts the certificate and pr

 * **certulr** - This is the KeyVault URL followed by the certificate name. E.g. https://pmc-anf-release-kv.vault.azure.net/vm-cert
 * **outputfolder** - Folder where the PEM file with the Certificate and its Private Key will be saved, it must exist beforehand, the tool will not create it and will also not manage permissions on the files
-
+* **environment** - Valid azure cloud environments: [AZUREPUBLICCLOUD AZUREUSGOVERNMENTCLOUD AZUREGERMANCLOUD AZURECHINACLOUD] (default "AZUREPUBLICCLOUD")
+* **version** - shows current tool version
+* **managed-identity-id** - Uses user managed identities (accepts resource id or client id)
+* **use-system-managed-identity** - Uses system managed identity
+  
 ## Exit Error Codes
 | Error                      | Exit Code |
 |----------------------------|-----------|
@ -50,6 +53,10 @@ Finally, if the certificate from is new, it then extracts the certificate and pr
 | ERR_CREATE_PEM_FILE        | 8         |
 | ERR_X509_THUMBPRINT        | 9         |
 | ERR_OUTPUTFOLDER_NOT_FOUND | 10        |
+| ERR_INVALID_AZURE_ENVIRONMENT | 11 |
+| ERR_CREDENTIALS | 12 |
+| ERR_INVALID_CREDENTIAL_ARGS | 13 |
+

 # Related Information
 * [Managed Identities For Azure Resources](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview)
--- a/keyvaultcertdownloader/keyvaultcertdownloader.go
+++ b/keyvaultcertdownloader/keyvaultcertdownloader.go
@ -40,18 +40,21 @@ const (
 	ERR_OUTPUTFOLDER_NOT_FOUND    = 10
 	ERR_INVALID_AZURE_ENVIRONMENT = 11
 	ERR_CREDENTIALS               = 12
+	ERR_INVALID_CREDENTIAL_ARGS   = 13
 )

 var (
-	validEnvironments = []string{"AZUREPUBLICCLOUD", "AZUREUSGOVERNMENTCLOUD", "AZUREGERMANCLOUD", "AZURECHINACLOUD"}
-	certURL           = flag.String("certurl", "", "certificate URL, e.g. \"https://mykeyvault.vault.azure.net/mycertificate\"")
-	outputFolder      = flag.String("outputfolder", "", "folder where PEM file with certificate and private key will be saved")
-	environment       = flag.String("environment", "AZUREPUBLICCLOUD", fmt.Sprintf("valid azure cloud environments: %v", validEnvironments))
-	cmdlineversion    = flag.Bool("version", false, "shows current tool version")
-	exitCode          = 0
-	version           = "1.0.0"
-	stdout            = log.New(os.Stdout, "", log.LstdFlags)
-	stderr            = log.New(os.Stderr, "", log.LstdFlags)
+	validEnvironments        = []string{"AZUREPUBLICCLOUD", "AZUREUSGOVERNMENTCLOUD", "AZUREGERMANCLOUD", "AZURECHINACLOUD"}
+	certURL                  = flag.String("certurl", "", "certificate URL, e.g. \"https://mykeyvault.vault.azure.net/mycertificate\"")
+	outputFolder             = flag.String("outputfolder", "", "folder where PEM file with certificate and private key will be saved")
+	environment              = flag.String("environment", "AZUREPUBLICCLOUD", fmt.Sprintf("valid azure cloud environments: %v", validEnvironments))
+	cmdlineversion           = flag.Bool("version", false, "shows current tool version")
+	managedIdentityId        = flag.String("managed-identity-id", "", "uses user managed identities (accepts resource id or client id)")
+	useSystemManagedIdentity = flag.Bool("use-system-managed-identity", false, "uses system managed identity")
+	exitCode                 = 0
+	version                  = "1.1.0"
+	stdout                   = log.New(os.Stdout, "", log.LstdFlags)
+	stderr                   = log.New(os.Stderr, "", log.LstdFlags)
 )

 func main() {
@ -90,6 +93,13 @@ func main() {
 		return
 	}

+	// Checks if both user managed identity and system managed identities were set
+	if *managedIdentityId != "" && *useSystemManagedIdentity {
+		utils.ConsoleOutput("<error> invalid authentication options, user and system assigned managed identities arguments cannot be used at the same time", stderr)
+		exitCode = ERR_INVALID_CREDENTIAL_ARGS
+		return
+	}
+
 	// Creates URL object
 	u, err := url.Parse(*certURL)
 	if err != nil {
@ -112,7 +122,31 @@ func main() {
 	if tokenFilePath == "" {
 		// Not running within a container with azwi webhook configured
 		utils.ConsoleOutput("Obtaining credentials", stdout)
-		cred, err = azidentity.NewDefaultAzureCredential(nil)
+
+		if *managedIdentityId == "" && !*useSystemManagedIdentity {
+			cred, err = azidentity.NewDefaultAzureCredential(nil)
+		} else if *useSystemManagedIdentity {
+			cred, err = azidentity.NewManagedIdentityCredential(nil)
+		} else if *managedIdentityId != "" {
+			opts := azidentity.ManagedIdentityCredentialOptions{}
+
+			if strings.Contains(*managedIdentityId, "/") {
+				opts = azidentity.ManagedIdentityCredentialOptions{
+					ID: azidentity.ResourceID(*managedIdentityId),
+				}
+			} else {
+				opts = azidentity.ManagedIdentityCredentialOptions{
+					ID: azidentity.ClientID(*managedIdentityId),
+				}
+			}
+
+			cred, err = azidentity.NewManagedIdentityCredential(&opts)
+		} else {
+			utils.ConsoleOutput(fmt.Sprintf("<error> %v\n", err), stderr)
+			exitCode = ERR_CREDENTIALS
+			return
+		}
+
 		if err != nil {
 			utils.ConsoleOutput(fmt.Sprintf("<error> %v\n", err), stderr)
 			exitCode = ERR_CREDENTIALS
--- a/media/screenshot.png
+++ b/media/screenshot.png