Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Disable and remove use of local/shared key auth for SAs #4122

Open
wants to merge 5 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion cmd/aro/deploy.go
Original file line number Diff line number Diff line change
Expand Up @@ -143,5 +143,5 @@ func deploy(ctx context.Context, log *logrus.Entry) error {

// Must be last step so we can be sure there are no RPs at older versions
// still serving
return deployer.SaveVersion(ctx)
return deployer.SaveVersion(ctx, tokenCredential)
}
2 changes: 1 addition & 1 deletion pkg/deploy/deploy.go
Original file line number Diff line number Diff line change
Expand Up @@ -36,7 +36,7 @@ type Deployer interface {
DeployGateway(context.Context) error
UpgradeRP(context.Context) error
UpgradeGateway(context.Context) error
SaveVersion(context.Context) error
SaveVersion(context.Context, azcore.TokenCredential) error
}

type deployer struct {
Expand Down
8 changes: 8 additions & 0 deletions pkg/deploy/generator/resources_rp.go
Original file line number Diff line number Diff line change
Expand Up @@ -1525,6 +1525,7 @@ func (g *generator) rpVersionStorageAccount() []*arm.Resource {
&mgmtstorage.AccountProperties{
AllowBlobPublicAccess: to.BoolPtr(false),
MinimumTLSVersion: mgmtstorage.MinimumTLSVersionTLS12,
AllowSharedKeyAccess: to.BoolPtr(false),
},
map[string]*string{},
),
Expand All @@ -1535,5 +1536,12 @@ func (g *generator) rpVersionStorageAccount() []*arm.Resource {
storageAccountName,
fmt.Sprintf("concat(%s, '/Microsoft.Authorization/', guid(resourceId('%s', %s)))", storageAccountName, resourceTypeStorageAccount, storageAccountName),
),
rbac.ResourceRoleAssignmentWithName(
rbac.RoleStorageBlobDataContributor,
"parameters('globalDevopsServicePrincipalId')",
resourceTypeStorageAccount,
storageAccountName,
fmt.Sprintf("concat(%s, '/Microsoft.Authorization/', guid(resourceId('%s', %s)))", storageAccountName, resourceTypeStorageAccount, storageAccountName),
),
}
}
23 changes: 4 additions & 19 deletions pkg/deploy/saveversion.go
Original file line number Diff line number Diff line change
Expand Up @@ -6,36 +6,21 @@ package deploy
import (
"context"
"fmt"
"time"

"github.com/Azure/azure-sdk-for-go/sdk/storage/azblob/service"
mgmtstorage "github.com/Azure/azure-sdk-for-go/services/storage/mgmt/2021-09-01/storage"
"github.com/Azure/go-autorest/autorest/date"

"github.com/Azure/ARO-RP/pkg/util/azureclient/azuresdk/azblob"
"github.com/Azure/ARO-RP/pkg/util/pointerutils"
"github.com/Azure/azure-sdk-for-go/sdk/azcore"
)

// SaveVersion for current location in shared storage account for environment
func (d *deployer) SaveVersion(ctx context.Context) error {
func (d *deployer) SaveVersion(ctx context.Context, tokenCredential azcore.TokenCredential) error {
d.log.Printf("saving RP version %s deployed in %s to storage account %s", d.version, d.config.Location, *d.config.Configuration.RPVersionStorageAccountName)
t := time.Now().UTC().Truncate(time.Second)
res, err := d.globalaccounts.ListAccountSAS(
Copy link
Collaborator

@tsatam tsatam Feb 27, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not an immediate priority but we should do this before merge - as far as I can tell this is the only usage of the (track1) globalaccounts client in the entire deployer, we should be good to remove it from the deployer struct entirely.

ctx, *d.config.Configuration.GlobalResourceGroupName, *d.config.Configuration.RPVersionStorageAccountName, mgmtstorage.AccountSasParameters{
Services: mgmtstorage.ServicesB,
ResourceTypes: mgmtstorage.SignedResourceTypesO + mgmtstorage.SignedResourceTypesS,
Permissions: mgmtstorage.PermissionsC + mgmtstorage.PermissionsW, // create and write
Protocols: mgmtstorage.HTTPProtocolHTTPS,
SharedAccessStartTime: &date.Time{Time: t},
SharedAccessExpiryTime: &date.Time{Time: t.Add(24 * time.Hour)},
})
if err != nil {
return err
}

d.log.Infof("instantiating blobs client using SAS token")
sasUrl := fmt.Sprintf("https://%s.blob.%s/?%s", *d.config.Configuration.RPVersionStorageAccountName, d.env.Environment().StorageEndpointSuffix, *res.AccountSasToken)
blobsClient, err := azblob.NewBlobsClientUsingSAS(sasUrl, d.env.Environment().ArmClientOptions())
serviceUrl := fmt.Sprintf("https://%s.blob.%s", *d.config.Configuration.RPVersionStorageAccountName, d.env.Environment().StorageEndpointSuffix)
blobsClient, err := azblob.NewBlobsClientUsingEntra(serviceUrl, tokenCredential, d.env.Environment().ArmClientOptions())
if err != nil {
d.log.Errorf("failure to instantiate blobs client using SAS: %v", err)
return err
Expand Down
Loading