Documentation ¶
Index ¶
Constants ¶
const ( // For Azure AD Workload Identity, the audience recommended for use is // "api://AzureADTokenExchange" DefaultTokenAudience = "api://AzureADTokenExchange" //nolint )
Variables ¶
var ( // ErrServiceAccountTokensNotFound is returned when the service account token is not found ErrServiceAccountTokensNotFound = errors.New("service account tokens not found") )
Functions ¶
func ParseServiceAccountToken ¶ added in v1.1.0
ParseServiceAccountToken parses the bound service account token from the tokens passed from driver as part of MountRequest. ref: https://kubernetes-csi.github.io/docs/token-requests.html
Types ¶
type Config ¶
type Config struct { // UsePodIdentity is set to true if access mode is using aad-pod-identity UsePodIdentity bool // UseVMManagedIdentity is set to true if access mode is using managed identity UseVMManagedIdentity bool // UserAssignedIdentityID is the user-assigned managed identity clientID UserAssignedIdentityID string // AADClientSecret is the client secret for SP access mode AADClientSecret string // AADClientID is the clientID for SP access mode AADClientID string // WorkloadIdentityClientID is the clientID for workload identity // this clientID can be an Azure AD Application or a Managed identity // NOTE: workload identity federation with managed identity is currently not supported WorkloadIdentityClientID string // WorkloadIdentityToken is the service account token for workload identity // this token will be exchanged for an Azure AD Token based on the federated identity credential // this service account token is associated with the workload requesting the volume mount WorkloadIdentityToken string }
Config is the required parameters for auth config
func NewConfig ¶
func NewConfig( usePodIdentity, useVMManagedIdentity bool, userAssignedIdentityID, workloadIdentityClientID, workloadIdentityToken string, secrets map[string]string) (Config, error)
NewConfig returns new auth config
func (Config) GetCredential ¶ added in v1.5.0
func (c Config) GetCredential(podName, podNamespace, resource, aadEndpoint, tenantID, nmiPort string) (azcore.TokenCredential, error)
GetCredential returns the azure credential to use based on the auth config
type PodIdentityResponse ¶ added in v1.5.0
type PodIdentityResponse struct { Token adal.Token `json:"token"` ClientID string `json:"clientid"` }
PodIdentityResponse is the response received from aad-pod-identity when requesting token on behalf of the pod
type SATokens ¶ added in v1.1.0
type SATokens struct { APIAzureADTokenExchange struct { Token string `json:"token"` ExpirationTimestamp time.Time `json:"expirationTimestamp"` } `json:"api://AzureADTokenExchange"` }
SATokens represents the service account tokens sent as part of the MountRequest
type Token ¶ added in v1.5.0
type Token struct { AccessToken string `json:"access_token"` RefreshToken string `json:"refresh_token"` ExpiresIn json.Number `json:"expires_in"` ExpiresOn json.Number `json:"expires_on"` NotBefore json.Number `json:"not_before"` Resource string `json:"resource"` Type string `json:"token_type"` }
Token encapsulates the access token used to authorize Azure requests. https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow#service-to-service-access-token-response