feat(login) add support for user- and system assigned managed identity for azure login

Undermyspell · DenisBiondic · commit 6ede3bc9f51e · 2025-03-03T13:26:40.000+01:00
diff --git a/pkg/recipes/azure_login/factory.go b/pkg/recipes/azure_login/factory.go
@@ -10,21 +10,27 @@ import (
 //   - service-principal-id
 //   - service-principal-secret
 //   - service-principal-tenant
+//   - user-assigned-managed-identity-client-id
+//   - use-managed-identity
 func New(executor commands.Executor) *Login {
 	return &Login{
-		servicePrincipalId:     viper.GetString("service-principal-id"),
-		servicePrincipalSecret: viper.GetString("service-principal-secret"),
-		tenant:                 viper.GetString("service-principal-tenant"),
-		executor:               executor,
+		servicePrincipalId:                  viper.GetString("service-principal-id"),
+		servicePrincipalSecret:              viper.GetString("service-principal-secret"),
+		tenant:                              viper.GetString("service-principal-tenant"),
+		userAssignedManagedIdentityClientId: viper.GetString("user-assigned-managed-identity-client-id"),
+		useManagedIdentity:                  viper.GetBool("use-managed-identity"),
+		executor:                            executor,
 	}
 }
 
 // NewWithParams creates a new Login instance with the ability to provide all parameters directly
-func NewWithParams(executor commands.Executor, servicePrincipalId string, servicePrincipalSecret string, tenant string) *Login {
+func NewWithParams(executor commands.Executor, servicePrincipalId string, servicePrincipalSecret string, tenant string, userAssignedManagedIdentityClientId string, useManagedIdentity bool) *Login {
 	return &Login{
-		servicePrincipalId:     servicePrincipalId,
-		servicePrincipalSecret: servicePrincipalSecret,
-		tenant:                 tenant,
-		executor:               executor,
+		servicePrincipalId:                  servicePrincipalId,
+		servicePrincipalSecret:              servicePrincipalSecret,
+		tenant:                              tenant,
+		userAssignedManagedIdentityClientId: userAssignedManagedIdentityClientId,
+		useManagedIdentity:                  useManagedIdentity,
+		executor:                            executor,
 	}
 }
diff --git a/pkg/recipes/azure_login/login.go b/pkg/recipes/azure_login/login.go
@@ -4,25 +4,44 @@ import (
 	"encoding/json"
 	"errors"
 	"fmt"
+	"os"
+	"strings"
+
 	"github.com/conplementag/cops-hq/v2/internal"
 	"github.com/conplementag/cops-hq/v2/pkg/commands"
 	"github.com/conplementag/cops-hq/v2/pkg/error_handling"
 	"github.com/sirupsen/logrus"
-	"os"
-	"strings"
 )
 
 type Login struct {
-	servicePrincipalId     string
-	servicePrincipalSecret string
-	tenant                 string
-	executor               commands.Executor
+	servicePrincipalId                  string
+	servicePrincipalSecret              string
+	userAssignedManagedIdentityClientId string
+	useManagedIdentity                  bool
+	tenant                              string
+	executor                            commands.Executor
 }
 
 // Login logs the currently configured user in AzureCLI and Terraform. If configured with service principal, it will
 // attempt a non-interactive login, otherwise a normal user login will be started.
 func (l *Login) Login() error {
-	if l.useServicePrincipalLogin() {
+	if l.useUserAssignedManagedIdentityLogin() {
+		if l.tenant == "" {
+			return errors.New("tenant must be given, when using user assigned managed identity")
+		}
+
+		logrus.Info("Login as user assigned managed identity: " + l.userAssignedManagedIdentityClientId)
+		err := l.userAssignedManagedIdentityLogin(l.userAssignedManagedIdentityClientId, l.tenant)
+		return internal.ReturnErrorOrPanic(err)
+	} else if l.useSystemAssignedManagedIdentityLogin() {
+		if l.tenant == "" {
+			return errors.New("tenant must be given, when using system assigned managed identity")
+		}
+
+		logrus.Info("Login as system assigned managed identity")
+		err := l.systemAssignedManagedIdentityLogin(l.tenant)
+		return internal.ReturnErrorOrPanic(err)
+	} else if l.useServicePrincipalLogin() {
 		if l.servicePrincipalSecret == "" {
 			return internal.ReturnErrorOrPanic(errors.New("service principal secret must be given, when using service principal credentials"))
 		}
@@ -68,6 +87,14 @@ func (l *Login) SetSubscription(subscriptionId string) error {
 	return nil
 }
 
+func (l *Login) useSystemAssignedManagedIdentityLogin() bool {
+	return l.useManagedIdentity && l.userAssignedManagedIdentityClientId == ""
+}
+
+func (l *Login) useUserAssignedManagedIdentityLogin() bool {
+	return l.useManagedIdentity && l.userAssignedManagedIdentityClientId != ""
+}
+
 func (l *Login) useServicePrincipalLogin() bool {
 	return l.servicePrincipalId != ""
 }
@@ -96,6 +123,43 @@ func (l *Login) servicePrincipalLogin(servicePrincipal string, secret string, te
 	return nil
 }
 
+func (l *Login) userAssignedManagedIdentityLogin(userAssignedManagedIdentityClientId string, tenant string) error {
+	// First, we log into the Azure CLI
+	// see https://learn.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az-login hints for secrets starting with "-"
+	commandText := "az login --identity --username " + userAssignedManagedIdentityClientId
+	_, err := l.executor.Execute(commandText)
+
+	// Then, we also need to set the env variables required for Terraform if working with user assigned managed identities
+	err1 := os.Setenv("ARM_CLIENT_ID", userAssignedManagedIdentityClientId)
+	err2 := os.Setenv("ARM_USE_MSI", "true")
+	err3 := os.Setenv("ARM_TENANT_ID", tenant)
+
+	if err != nil || err1 != nil || err2 != nil || err3 != nil {
+		return internal.ReturnErrorOrPanic(fmt.Errorf("errors while logging in via user assigned managed identity: %v %v %v %v",
+			err, err1, err2, err3))
+	}
+
+	return nil
+}
+
+func (l *Login) systemAssignedManagedIdentityLogin(tenant string) error {
+	// First, we log into the Azure CLI
+	// see https://learn.microsoft.com/en-us/cli/azure/reference-index?view=azure-cli-latest#az-login hints for secrets starting with "-"
+	commandText := "az login --identity"
+	_, err := l.executor.Execute(commandText)
+
+	// Then, we also need to set the env variables required for Terraform if working with system assigned managed identities
+	err1 := os.Setenv("ARM_USE_MSI", "true")
+	err2 := os.Setenv("ARM_TENANT_ID", tenant)
+
+	if err != nil || err1 != nil || err2 != nil {
+		return internal.ReturnErrorOrPanic(fmt.Errorf("errors while logging in via system assigned managed identity: %v %v %v",
+			err, err1, err2))
+	}
+
+	return nil
+}
+
 func (l *Login) isUserAlreadyLoggedIn() (bool, error) {
 	// since we actually rely on errors to test if user is logged in, we will shortly suppress the executor panics
 	previousPanicSetting := error_handling.PanicOnAnyError
diff --git a/pkg/recipes/azure_login/login_test.go b/pkg/recipes/azure_login/login_test.go
@@ -3,16 +3,17 @@ package azure_login
 import (
 	"encoding/json"
 	"errors"
-	"github.com/conplementag/cops-hq/v2/pkg/commands"
-	"github.com/stretchr/testify/mock"
 	"strings"
 	"testing"
+
+	"github.com/conplementag/cops-hq/v2/pkg/commands"
+	"github.com/stretchr/testify/mock"
 )
 
 func Test_TriggersServicePrincipalLogin_WhenIdProvided(t *testing.T) {
 	// Arrange
 	executor := &loginExecutorMock{}
-	azureLogin := NewWithParams(executor, "abcd", "secret", "tenantId")
+	azureLogin := NewWithParams(executor, "abcd", "secret", "tenantId", "", false)
 
 	executor.On("ExecuteSilent", mock.MatchedBy(func(command string) bool {
 		return strings.Contains(command, "--service-principal") && strings.Contains(command, "abcd")
@@ -25,6 +26,54 @@ func Test_TriggersServicePrincipalLogin_WhenIdProvided(t *testing.T) {
 	executor.AssertExpectations(t)
 }
 
+func Test_TriggersUserAssignedManagedIdentityLogin_WhenClientIdAndFlagProvided(t *testing.T) {
+	// Arrange
+	executor := &loginExecutorMock{}
+	azureLogin := NewWithParams(executor, "abcd", "secret", "tenantId", "umi-clientid", true)
+
+	executor.On("Execute", mock.MatchedBy(func(command string) bool {
+		return command == "az login --identity --username umi-clientid"
+	}))
+
+	// Act
+	azureLogin.Login()
+
+	// Assert
+	executor.AssertExpectations(t)
+}
+
+func Test_TriggersSystemAssignedManagedIdentityLogin_WhenOnlyFlagProvided(t *testing.T) {
+	// Arrange
+	executor := &loginExecutorMock{}
+	azureLogin := NewWithParams(executor, "abcd", "secret", "tenantId", "", true)
+
+	executor.On("Execute", mock.MatchedBy(func(command string) bool {
+		return command == "az login --identity"
+	}))
+
+	// Act
+	azureLogin.Login()
+
+	// Assert
+	executor.AssertExpectations(t)
+}
+
+func Test_TriggersServicePrincipalLogin_WhenIdProvidedAndUamIdProvidedButMiFlagNotProvided(t *testing.T) {
+	// Arrange
+	executor := &loginExecutorMock{}
+	azureLogin := NewWithParams(executor, "abcd", "secret", "tenantId", "umi-clientid", false)
+
+	executor.On("ExecuteSilent", mock.MatchedBy(func(command string) bool {
+		return strings.Contains(command, "--service-principal") && strings.Contains(command, "abcd") && !strings.Contains(command, "--identity")
+	}))
+
+	// Act
+	azureLogin.Login()
+
+	// Assert
+	executor.AssertExpectations(t)
+}
+
 func Test_TriggersNoLogin_WhenUserAlreadyLoggedIn(t *testing.T) {
 	// Arrange
 	executor := &loginExecutorMock{}
@@ -90,6 +139,8 @@ func (e *loginExecutorMock) Execute(command string) (string, error) {
 		} else {
 			return "not logged in", errors.New("not logged int")
 		}
+	} else if strings.Contains(command, "--identity") {
+		return "logged in with managed identity", nil
 	}
 
 	return "unknown command for the Execute mock called, but let's return successfully anyways", nil
