Azure Blob Backend Azure Arc Managed Identity Support HIMDS

ian-bowler · April 27, 2022, 11:00pm

Currently the azureblob backend only supports
msiEndpointDefault = "http://169.254.169.254/metadata/identity/oauth2/token" and
imdsAPIVersion = "2018-02-01"

Azure Arc provides the functionality to use IMDS on machines not in the azure cloud but connected to it. The endpoint used on these servers is 127.0.0.1:40342/metadata/identity/oauth2/token and version "2019-11-01"

Is it possible to expose these variables for configuration.

Here is an additional reference for himds
https://docs.microsoft.com/en-us/azure/azure-arc/servers/managed-identity-authentication

ncw · April 28, 2022, 9:15am

This currently isn't configurable.

Does it not work with the old API version? Did you try it? What does it do?

As a first step I'd change this in the source code and see if it works

github.com

rclone/rclone/blob/211dbe9aee735d836f36b7820f4d15e4938a86c9/backend/azureblob/imds.go#L22

      
        
            	"io/ioutil"
            	"net/http"
            
            
	"github.com/Azure/go-autorest/autorest/adal"
            	"github.com/rclone/rclone/fs"
            	"github.com/rclone/rclone/fs/fshttp"
            )
            
            
const (
            	azureResource      = "https://storage.azure.com"
            	imdsAPIVersion     = "2018-02-01"
            	msiEndpointDefault = "http://169.254.169.254/metadata/identity/oauth2/token"
            )
            
            
// This custom type is used to add the port the test server has bound to
            // to the request context.
            type testPortKey string
            
            
type msiIdentifierType int
            
            
const (

Then we can have a think about how to make it configurable.

ian-bowler · April 28, 2022, 1:51pm

@ncw, thank you for looking at this request so quickly. I have tested changing the endpoint/API version in the source code and then realized that although the mechanisms appear similar the himds endpoint returns a path to a local file instead of the actual token. I will attempt to test using the oauthTokenManager code from azcopy as a reference azure-storage-azcopy/oauthTokenManager.go at main · Azure/azure-storage-azcopy · GitHub

ncw · April 28, 2022, 3:00pm

I see you made an issue about this. Will move the discussion there

system · June 27, 2022, 3:00pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.