Giter Club home page Giter Club logo

Comments (5)

pchanvallon avatar pchanvallon commented on June 23, 2024 2

Hello, at the moment this authentication method is not embedded in the DefaultAzureCredential which is the function used inside azuredns provider.
For that we need to implement the logic to retrieve OIDC token like the one used inside azrerm terraform provider.
@ldez I can add it in a new PR

from lego.

ldez avatar ldez commented on June 23, 2024

Hello,

I think it's better to open an issue inside the repo https://github.com/vancluever/terraform-provider-acme

from lego.

ldez avatar ldez commented on June 23, 2024

@pchanvallon do you have an idea?

from lego.

stmcx avatar stmcx commented on June 23, 2024

Testing on local machine bypassing Terraform ACME provider

Ensure cli is logged out

az logout

Export environment variables (Values taken from Terraform Cloud agent runner)

export AZURE_SUBSCRIPTION_ID=******-****-****-****-********
export AZURE_RESOURCE_GROUP=*********
export AZURE_TENANT_ID=******-****-****-****-********
export AZURE_CLIENT_ID=******-****-****-****-********
export AZURE_USE_OIDC=true
export AZURE_OIDC_TOKEN="**************************"

Also exported last two envs as ARM_OIDC_TOKEN & ARM_USE_OIDC since this is the syntax they are actually exported by Terraform Cloud.

lego --domains example.****.com --email [email protected] --dns azuredns run
2023/10/05 13:18:38 [INFO] [example.****.com] acme: Obtaining bundled SAN certificate
2023/10/05 13:18:39 [INFO] [example.****.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/*******
2023/10/05 13:18:39 [INFO] [example.****.com] acme: Could not find solver for: tls-alpn-01
2023/10/05 13:18:39 [INFO] [example.****.com] acme: Could not find solver for: http-01
2023/10/05 13:18:39 [INFO] [example.****.com] acme: use dns-01 solver
2023/10/05 13:18:39 [INFO] [example.****.com] acme: Preparing to solve DNS-01
2023/10/05 13:18:44 [INFO] [example.****.com] acme: Cleaning DNS-01 challenge
2023/10/05 13:18:47 [WARN] [example.****.com] acme: cleaning up failed: azuredns: DefaultAzureCredential: failed to acquire a token.
Attempted credentials:
	EnvironmentCredential: incomplete environment variable configuration. Only AZURE_TENANT_ID and AZURE_CLIENT_ID are set
	WorkloadIdentityCredential: no token file specified. Check pod configuration or set TokenFilePath in the options
	ManagedIdentityCredential: managed identity timed out
	AzureCLICredential: ERROR: Please run 'az login' to setup account.

What seems to work is putting the AZURE_OIDC_TOKEN value in a file and then exporting AZURE_FEDERATED_TOKEN_FILE=token.txt.

I will see if I can do this in Terraform but would prefer if it works out of the box.

2023/10/05 13:41:10 [INFO] [example.****.com] acme: Obtaining bundled SAN certificate
2023/10/05 13:41:11 [INFO] [example.****.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/********
2023/10/05 13:41:11 [INFO] [example.****.com] acme: Could not find solver for: tls-alpn-01
2023/10/05 13:41:11 [INFO] [example.****.com] acme: Could not find solver for: http-01
2023/10/05 13:41:11 [INFO] [example.****.com] acme: use dns-01 solver
2023/10/05 13:41:11 [INFO] [example.****.com] acme: Preparing to solve DNS-01
2023/10/05 13:41:15 [INFO] [example.****.com] acme: Trying to solve DNS-01
2023/10/05 13:41:15 [INFO] [example.****.com] acme: Checking DNS record propagation using [*****]
2023/10/05 13:41:17 [INFO] Wait for propagation [timeout: 2m0s, interval: 2s]
2023/10/05 13:41:24 [INFO] [example.****.com] The server validated our request
2023/10/05 13:41:24 [INFO] [example.****.com] acme: Cleaning DNS-01 challenge
2023/10/05 13:41:26 [INFO] [example.****.com] acme: Validations succeeded; requesting certificates
2023/10/05 13:41:27 [INFO] [example.****.com] Server responded with a certificate.

Thanks!

from lego.

pchanvallon avatar pchanvallon commented on June 23, 2024

Yes this case is working because it is the mechanism used by Workload Identity Authentication as described in this doc.
But we still need to handle the other cases.

from lego.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.