mirror of https://github.com/grafana/loki
Bump github.com/Azure/go-autorest/autorest/azure/auth from 0.5.11 to 0.5.12 (#8309)
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>pull/8312/head
dependabot[bot]
2 years ago
committed by
GitHub
parent
571f88bc57
commit
b347dca897
@ -0,0 +1,152 @@ |
||||
# NOTE: This module will go out of support by March 31, 2023. For authenticating with Azure AD, use module [azidentity](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity) instead. For help migrating from `auth` to `azidentiy` please consult the [migration guide](https://aka.ms/azsdk/go/identity/migration). General information about the retirement of this and other legacy modules can be found [here](https://azure.microsoft.com/updates/support-for-azure-sdk-libraries-that-do-not-conform-to-our-current-azure-sdk-guidelines-will-be-retired-as-of-31-march-2023/). |
||||
|
||||
## Authentication |
||||
|
||||
Typical SDK operations must be authenticated and authorized. The `autorest.Authorizer` |
||||
interface allows use of any auth style in requests, such as inserting an OAuth2 |
||||
Authorization header and bearer token received from Azure AD. |
||||
|
||||
The SDK itself provides a simple way to get an authorizer which first checks |
||||
for OAuth client credentials in environment variables and then falls back to |
||||
Azure's [Managed Service Identity]() when available, e.g. when on an Azure |
||||
VM. The following snippet from [the previous section](#use) demonstrates |
||||
this helper. |
||||
|
||||
```go |
||||
import "github.com/Azure/go-autorest/autorest/azure/auth" |
||||
|
||||
// create a VirtualNetworks client |
||||
vnetClient := network.NewVirtualNetworksClient("<subscriptionID>") |
||||
|
||||
// create an authorizer from env vars or Azure Managed Service Idenity |
||||
authorizer, err := auth.NewAuthorizerFromEnvironment() |
||||
if err != nil { |
||||
handle(err) |
||||
} |
||||
|
||||
vnetClient.Authorizer = authorizer |
||||
|
||||
// call the VirtualNetworks CreateOrUpdate API |
||||
vnetClient.CreateOrUpdate(context.Background(), |
||||
// ... |
||||
``` |
||||
|
||||
The following environment variables help determine authentication configuration: |
||||
|
||||
- `AZURE_ENVIRONMENT`: Specifies the Azure Environment to use. If not set, it |
||||
defaults to `AzurePublicCloud`. Not applicable to authentication with Managed |
||||
Service Identity (MSI). |
||||
- `AZURE_AD_RESOURCE`: Specifies the AAD resource ID to use. If not set, it |
||||
defaults to `ResourceManagerEndpoint` for operations with Azure Resource |
||||
Manager. You can also choose an alternate resource programmatically with |
||||
`auth.NewAuthorizerFromEnvironmentWithResource(resource string)`. |
||||
|
||||
### More Authentication Details |
||||
|
||||
The previous is the first and most recommended of several authentication |
||||
options offered by the SDK because it allows seamless use of both service |
||||
principals and [Azure Managed Service Identity][]. Other options are listed |
||||
below. |
||||
|
||||
> Note: If you need to create a new service principal, run `az ad sp create-for-rbac -n "<app_name>"` in the |
||||
> [azure-cli](https://github.com/Azure/azure-cli). See [these |
||||
> docs](https://docs.microsoft.com/cli/azure/create-an-azure-service-principal-azure-cli?view=azure-cli-latest) |
||||
> for more info. Copy the new principal's ID, secret, and tenant ID for use in |
||||
> your app, or consider the `--sdk-auth` parameter for serialized output. |
||||
|
||||
[azure managed service identity]: https://docs.microsoft.com/azure/active-directory/msi-overview |
||||
|
||||
- The `auth.NewAuthorizerFromEnvironment()` described above creates an authorizer |
||||
from the first available of the following configuration: |
||||
|
||||
1. **Client Credentials**: Azure AD Application ID and Secret. |
||||
|
||||
- `AZURE_TENANT_ID`: Specifies the Tenant to which to authenticate. |
||||
- `AZURE_CLIENT_ID`: Specifies the app client ID to use. |
||||
- `AZURE_CLIENT_SECRET`: Specifies the app secret to use. |
||||
|
||||
2. **Client Certificate**: Azure AD Application ID and X.509 Certificate. |
||||
|
||||
- `AZURE_TENANT_ID`: Specifies the Tenant to which to authenticate. |
||||
- `AZURE_CLIENT_ID`: Specifies the app client ID to use. |
||||
- `AZURE_CERTIFICATE_PATH`: Specifies the certificate Path to use. |
||||
- `AZURE_CERTIFICATE_PASSWORD`: Specifies the certificate password to use. |
||||
|
||||
3. **Resource Owner Password**: Azure AD User and Password. This grant type is *not |
||||
recommended*, use device login instead if you need interactive login. |
||||
|
||||
- `AZURE_TENANT_ID`: Specifies the Tenant to which to authenticate. |
||||
- `AZURE_CLIENT_ID`: Specifies the app client ID to use. |
||||
- `AZURE_USERNAME`: Specifies the username to use. |
||||
- `AZURE_PASSWORD`: Specifies the password to use. |
||||
|
||||
4. **Azure Managed Service Identity**: Delegate credential management to the |
||||
platform. Requires that code is running in Azure, e.g. on a VM. All |
||||
configuration is handled by Azure. See [Azure Managed Service |
||||
Identity](https://docs.microsoft.com/azure/active-directory/msi-overview) |
||||
for more details. |
||||
|
||||
- The `auth.NewAuthorizerFromFile()` method creates an authorizer using |
||||
credentials from an auth file created by the [Azure CLI][]. Follow these |
||||
steps to utilize: |
||||
|
||||
1. Create a service principal and output an auth file using `az ad sp create-for-rbac --sdk-auth > client_credentials.json`. |
||||
2. Set environment variable `AZURE_AUTH_LOCATION` to the path of the saved |
||||
output file. |
||||
3. Use the authorizer returned by `auth.NewAuthorizerFromFile()` in your |
||||
client as described above. |
||||
|
||||
- The `auth.NewAuthorizerFromCLI()` method creates an authorizer which |
||||
uses [Azure CLI][] to obtain its credentials. |
||||
|
||||
The default audience being requested is `https://management.azure.com` (Azure ARM API). |
||||
To specify your own audience, export `AZURE_AD_RESOURCE` as an evironment variable. |
||||
This is read by `auth.NewAuthorizerFromCLI()` and passed to Azure CLI to acquire the access token. |
||||
|
||||
For example, to request an access token for Azure Key Vault, export |
||||
``` |
||||
AZURE_AD_RESOURCE="https://vault.azure.net" |
||||
``` |
||||
|
||||
- `auth.NewAuthorizerFromCLIWithResource(AUDIENCE_URL_OR_APPLICATION_ID)` - this method is self contained and does |
||||
not require exporting environment variables. For example, to request an access token for Azure Key Vault: |
||||
``` |
||||
auth.NewAuthorizerFromCLIWithResource("https://vault.azure.net") |
||||
``` |
||||
|
||||
To use `NewAuthorizerFromCLI()` or `NewAuthorizerFromCLIWithResource()`, follow these steps: |
||||
|
||||
1. Install [Azure CLI v2.0.12](https://docs.microsoft.com/cli/azure/install-azure-cli) or later. Upgrade earlier versions. |
||||
2. Use `az login` to sign in to Azure. |
||||
|
||||
If you receive an error, use `az account get-access-token` to verify access. |
||||
|
||||
If Azure CLI is not installed to the default directory, you may receive an error |
||||
reporting that `az` cannot be found. |
||||
Use the `AzureCLIPath` environment variable to define the Azure CLI installation folder. |
||||
|
||||
If you are signed in to Azure CLI using multiple accounts or your account has |
||||
access to multiple subscriptions, you need to specify the specific subscription |
||||
to be used. To do so, use: |
||||
|
||||
``` |
||||
az account set --subscription <subscription-id> |
||||
``` |
||||
|
||||
To verify the current account settings, use: |
||||
|
||||
``` |
||||
az account list |
||||
``` |
||||
|
||||
[azure cli]: https://github.com/Azure/azure-cli |
||||
|
||||
- Finally, you can use OAuth's [Device Flow][] by calling |
||||
`auth.NewDeviceFlowConfig()` and extracting the Authorizer as follows: |
||||
|
||||
```go |
||||
config := auth.NewDeviceFlowConfig(clientID, tenantID) |
||||
a, err := config.Authorizer() |
||||
``` |
||||
|
||||
[device flow]: https://oauth.net/2/device-flow/ |
||||
@ -0,0 +1,202 @@ |
||||
|
||||
Apache License |
||||
Version 2.0, January 2004 |
||||
http://www.apache.org/licenses/ |
||||
|
||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION |
||||
|
||||
1. Definitions. |
||||
|
||||
"License" shall mean the terms and conditions for use, reproduction, |
||||
and distribution as defined by Sections 1 through 9 of this document. |
||||
|
||||
"Licensor" shall mean the copyright owner or entity authorized by |
||||
the copyright owner that is granting the License. |
||||
|
||||
"Legal Entity" shall mean the union of the acting entity and all |
||||
other entities that control, are controlled by, or are under common |
||||
control with that entity. For the purposes of this definition, |
||||
"control" means (i) the power, direct or indirect, to cause the |
||||
direction or management of such entity, whether by contract or |
||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the |
||||
outstanding shares, or (iii) beneficial ownership of such entity. |
||||
|
||||
"You" (or "Your") shall mean an individual or Legal Entity |
||||
exercising permissions granted by this License. |
||||
|
||||
"Source" form shall mean the preferred form for making modifications, |
||||
including but not limited to software source code, documentation |
||||
source, and configuration files. |
||||
|
||||
"Object" form shall mean any form resulting from mechanical |
||||
transformation or translation of a Source form, including but |
||||
not limited to compiled object code, generated documentation, |
||||
and conversions to other media types. |
||||
|
||||
"Work" shall mean the work of authorship, whether in Source or |
||||
Object form, made available under the License, as indicated by a |
||||
copyright notice that is included in or attached to the work |
||||
(an example is provided in the Appendix below). |
||||
|
||||
"Derivative Works" shall mean any work, whether in Source or Object |
||||
form, that is based on (or derived from) the Work and for which the |
||||
editorial revisions, annotations, elaborations, or other modifications |
||||
represent, as a whole, an original work of authorship. For the purposes |
||||
of this License, Derivative Works shall not include works that remain |
||||
separable from, or merely link (or bind by name) to the interfaces of, |
||||
the Work and Derivative Works thereof. |
||||
|
||||
"Contribution" shall mean any work of authorship, including |
||||
the original version of the Work and any modifications or additions |
||||
to that Work or Derivative Works thereof, that is intentionally |
||||
submitted to Licensor for inclusion in the Work by the copyright owner |
||||
or by an individual or Legal Entity authorized to submit on behalf of |
||||
the copyright owner. For the purposes of this definition, "submitted" |
||||
means any form of electronic, verbal, or written communication sent |
||||
to the Licensor or its representatives, including but not limited to |
||||
communication on electronic mailing lists, source code control systems, |
||||
and issue tracking systems that are managed by, or on behalf of, the |
||||
Licensor for the purpose of discussing and improving the Work, but |
||||
excluding communication that is conspicuously marked or otherwise |
||||
designated in writing by the copyright owner as "Not a Contribution." |
||||
|
||||
"Contributor" shall mean Licensor and any individual or Legal Entity |
||||
on behalf of whom a Contribution has been received by Licensor and |
||||
subsequently incorporated within the Work. |
||||
|
||||
2. Grant of Copyright License. Subject to the terms and conditions of |
||||
this License, each Contributor hereby grants to You a perpetual, |
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable |
||||
copyright license to reproduce, prepare Derivative Works of, |
||||
publicly display, publicly perform, sublicense, and distribute the |
||||
Work and such Derivative Works in Source or Object form. |
||||
|
||||
3. Grant of Patent License. Subject to the terms and conditions of |
||||
this License, each Contributor hereby grants to You a perpetual, |
||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable |
||||
(except as stated in this section) patent license to make, have made, |
||||
use, offer to sell, sell, import, and otherwise transfer the Work, |
||||
where such license applies only to those patent claims licensable |
||||
by such Contributor that are necessarily infringed by their |
||||
Contribution(s) alone or by combination of their Contribution(s) |
||||
with the Work to which such Contribution(s) was submitted. If You |
||||
institute patent litigation against any entity (including a |
||||
cross-claim or counterclaim in a lawsuit) alleging that the Work |
||||
or a Contribution incorporated within the Work constitutes direct |
||||
or contributory patent infringement, then any patent licenses |
||||
granted to You under this License for that Work shall terminate |
||||
as of the date such litigation is filed. |
||||
|
||||
4. Redistribution. You may reproduce and distribute copies of the |
||||
Work or Derivative Works thereof in any medium, with or without |
||||
modifications, and in Source or Object form, provided that You |
||||
meet the following conditions: |
||||
|
||||
(a) You must give any other recipients of the Work or |
||||
Derivative Works a copy of this License; and |
||||
|
||||
(b) You must cause any modified files to carry prominent notices |
||||
stating that You changed the files; and |
||||
|
||||
(c) You must retain, in the Source form of any Derivative Works |
||||
that You distribute, all copyright, patent, trademark, and |
||||
attribution notices from the Source form of the Work, |
||||
excluding those notices that do not pertain to any part of |
||||
the Derivative Works; and |
||||
|
||||
(d) If the Work includes a "NOTICE" text file as part of its |
||||
distribution, then any Derivative Works that You distribute must |
||||
include a readable copy of the attribution notices contained |
||||
within such NOTICE file, excluding those notices that do not |
||||
pertain to any part of the Derivative Works, in at least one |
||||
of the following places: within a NOTICE text file distributed |
||||
as part of the Derivative Works; within the Source form or |
||||
documentation, if provided along with the Derivative Works; or, |
||||
within a display generated by the Derivative Works, if and |
||||
wherever such third-party notices normally appear. The contents |
||||
of the NOTICE file are for informational purposes only and |
||||
do not modify the License. You may add Your own attribution |
||||
notices within Derivative Works that You distribute, alongside |
||||
or as an addendum to the NOTICE text from the Work, provided |
||||
that such additional attribution notices cannot be construed |
||||
as modifying the License. |
||||
|
||||
You may add Your own copyright statement to Your modifications and |
||||
may provide additional or different license terms and conditions |
||||
for use, reproduction, or distribution of Your modifications, or |
||||
for any such Derivative Works as a whole, provided Your use, |
||||
reproduction, and distribution of the Work otherwise complies with |
||||
the conditions stated in this License. |
||||
|
||||
5. Submission of Contributions. Unless You explicitly state otherwise, |
||||
any Contribution intentionally submitted for inclusion in the Work |
||||
by You to the Licensor shall be under the terms and conditions of |
||||
this License, without any additional terms or conditions. |
||||
Notwithstanding the above, nothing herein shall supersede or modify |
||||
the terms of any separate license agreement you may have executed |
||||
with Licensor regarding such Contributions. |
||||
|
||||
6. Trademarks. This License does not grant permission to use the trade |
||||
names, trademarks, service marks, or product names of the Licensor, |
||||
except as required for reasonable and customary use in describing the |
||||
origin of the Work and reproducing the content of the NOTICE file. |
||||
|
||||
7. Disclaimer of Warranty. Unless required by applicable law or |
||||
agreed to in writing, Licensor provides the Work (and each |
||||
Contributor provides its Contributions) on an "AS IS" BASIS, |
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or |
||||
implied, including, without limitation, any warranties or conditions |
||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A |
||||
PARTICULAR PURPOSE. You are solely responsible for determining the |
||||
appropriateness of using or redistributing the Work and assume any |
||||
risks associated with Your exercise of permissions under this License. |
||||
|
||||
8. Limitation of Liability. In no event and under no legal theory, |
||||
whether in tort (including negligence), contract, or otherwise, |
||||
unless required by applicable law (such as deliberate and grossly |
||||
negligent acts) or agreed to in writing, shall any Contributor be |
||||
liable to You for damages, including any direct, indirect, special, |
||||
incidental, or consequential damages of any character arising as a |
||||
result of this License or out of the use or inability to use the |
||||
Work (including but not limited to damages for loss of goodwill, |
||||
work stoppage, computer failure or malfunction, or any and all |
||||
other commercial damages or losses), even if such Contributor |
||||
has been advised of the possibility of such damages. |
||||
|
||||
9. Accepting Warranty or Additional Liability. While redistributing |
||||
the Work or Derivative Works thereof, You may choose to offer, |
||||
and charge a fee for, acceptance of support, warranty, indemnity, |
||||
or other liability obligations and/or rights consistent with this |
||||
License. However, in accepting such obligations, You may act only |
||||
on Your own behalf and on Your sole responsibility, not on behalf |
||||
of any other Contributor, and only if You agree to indemnify, |
||||
defend, and hold each Contributor harmless for any liability |
||||
incurred by, or claims asserted against, such Contributor by reason |
||||
of your accepting any such warranty or additional liability. |
||||
|
||||
END OF TERMS AND CONDITIONS |
||||
|
||||
APPENDIX: How to apply the Apache License to your work. |
||||
|
||||
To apply the Apache License to your work, attach the following |
||||
boilerplate notice, with the fields enclosed by brackets "[]" |
||||
replaced with your own identifying information. (Don't include |
||||
the brackets!) The text should be enclosed in the appropriate |
||||
comment syntax for the file format. We also recommend that a |
||||
file or class name and description of purpose be included on the |
||||
same "printed page" as the copyright notice for easier |
||||
identification within third-party archives. |
||||
|
||||
Copyright [yyyy] [name of copyright owner] |
||||
|
||||
Licensed under the Apache License, Version 2.0 (the "License"); |
||||
you may not use this file except in compliance with the License. |
||||
You may obtain a copy of the License at |
||||
|
||||
http://www.apache.org/licenses/LICENSE-2.0 |
||||
|
||||
Unless required by applicable law or agreed to in writing, software |
||||
distributed under the License is distributed on an "AS IS" BASIS, |
||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
||||
See the License for the specific language governing permissions and |
||||
limitations under the License. |
||||
Loading…
Reference in new issue