Azure MSI examples for go and docker

Author: Steven Gettys

.gitignore

@@ -0,0 +1,2 @@
+.terraform
+terraform.tfstate*

Dockerfile

@@ -0,0 +1,11 @@
+FROM golang:1.15.0 as builder
+WORKDIR  /go/src/msigolang/
+COPY . /go/src/msigolang/
+RUN go test ./... -v
+RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o run .
+
+FROM alpine:3.8
+RUN apk --update add ca-certificates
+WORKDIR /root/
+COPY --from=builder /go/src/msigolang/run .
+CMD ["./run"]

README.md

@@ -0,0 +1,54 @@
+# Azure GO MSI
+This is an example repo for debugging the differences between using MSI for getting an Azure KV secret in a Go based Docker Azure Web App and a Go based Azure Container Instance. Web Apps do not seem to properly support MSI for this use case while the Container Instance does.
+
+This repo has a simple Go app that will lookup a secret from a KV instance using a user managed identity. The Terraform will create a resource group, key vault, managed identity and access policies, and a test instace for both an Azure Web App and Azure Container Instance to see if they can retreive the secret using that managed identity.
+
+# Docker Image
+To test this first build and publish the `Dockerfile`:
+```
+docker build --rm -t <dockerhub repo>/<container name>:<version> .
+docker push <dockerhub repo>/<container name>:<version>
+```
+
+Make sure that this is a publicly accessible container image so that it can be pulled into the Web App and Container Instance
+
+# Terraform
+The Terraform requires 2 inputs, a name for the deployment, and the docker image that is in dockerhub. To run the Terraform do the following:
+```
+terraform init
+terraform play --var "name=<name to use>" --var "docker_image=<docker image in dockerhub>"
+terraform apply --var "name=<name to use>" --var "docker_image=<docker image in dockerhub>"
+```
+
+Once this has been created then check the Web App logs and the Container Instance logs to see if they were able to retreive the secret. This can be done using the portal by navigating to the resource group created by the Terraform.
+
+# Go Application
+The Go app can use 2 possible methods for using the MSI to get the KV secret.
+
+Method 1:
+```
+msiKeyConfig := &auth.MSIConfig{
+		Resource: strings.TrimSuffix(azure.PublicCloud.KeyVaultEndpoint, "/"),
+		ClientID: clientID,
+	}
+
+authorizer, err := msiKeyConfig.Authorizer()
+```
+
+Method 2:
+```
+authorizer, err := auth.NewAuthorizerFromEnvironment()
+```
+
+The authorizer method can be changed in the `NewKeyVaultClient` method by changing which authorizer method to use, either `getMSIAuthorizer` or `getAuthorizerFromEnv`.
+
+When testing a new auth method the docker container must be rebuilt and pushed with a new version and then that version must be deployed to Azure using the Terraform and the "docker_image" variable.
+
+# New Version
+```
+# Make code change
+# Rebuild Docker app
+docker build --rm -t <image name>:<new version> .
+docker push <image name>:<new version>
+terraform apply --var "docker_image=<image name>:<new version>" --var "name=<name>" --auto-approve
+```

go.mod

@@ -0,0 +1,11 @@
+module github.com/sgetty/azure-go-msi
+
+go 1.13
+
+require (
+	github.com/Azure/azure-sdk-for-go v47.1.0+incompatible
+	github.com/Azure/go-autorest/autorest v0.11.10
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.3
+	github.com/Azure/go-autorest/autorest/to v0.4.0 // indirect
+	github.com/Azure/go-autorest/autorest/validation v0.3.0 // indirect
+)

go.sum

@@ -0,0 +1,42 @@
+github.com/Azure/azure-sdk-for-go v47.1.0+incompatible h1:D6MsWmsxF+pEjN/yZDyKXoUrsamdBdTlPedIgBlvVx4=
+github.com/Azure/azure-sdk-for-go v47.1.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
+github.com/Azure/go-autorest v14.2.0+incompatible h1:V5VMDjClD3GiElqLWO7mz2MxNAK/vTfRHdAubSIPRgs=
+github.com/Azure/go-autorest v14.2.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24=
+github.com/Azure/go-autorest/autorest v0.11.9/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw=
+github.com/Azure/go-autorest/autorest v0.11.10 h1:j5sGbX7uj1ieYYkQ3Mpvewd4DCsEQ+ZeJpqnSM9pjnM=
+github.com/Azure/go-autorest/autorest v0.11.10/go.mod h1:eipySxLmqSyC5s5k1CLupqet0PSENBEDP93LQ9a8QYw=
+github.com/Azure/go-autorest/autorest/adal v0.9.5 h1:Y3bBUV4rTuxenJJs41HU3qmqsb+auo+a3Lz+PlJPpL0=
+github.com/Azure/go-autorest/autorest/adal v0.9.5/go.mod h1:B7KF7jKIeC9Mct5spmyCB/A8CG/sEz1vwIRGv/bbw7A=
+github.com/Azure/go-autorest/autorest/azure/auth v0.5.3 h1:lZifaPRAk1bqg5vGqreL6F8uLC5V0fDpY8nFvc3boFc=
+github.com/Azure/go-autorest/autorest/azure/auth v0.5.3/go.mod h1:4bJZhUhcq8LB20TruwHbAQsmUs2Xh+QR7utuJpLXX3A=
+github.com/Azure/go-autorest/autorest/azure/cli v0.4.2 h1:dMOmEJfkLKW/7JsokJqkyoYSgmR08hi9KrhjZb+JALY=
+github.com/Azure/go-autorest/autorest/azure/cli v0.4.2/go.mod h1:7qkJkT+j6b+hIpzMOwPChJhTqS8VbsqqgULzMNRugoM=
+github.com/Azure/go-autorest/autorest/date v0.3.0 h1:7gUk1U5M/CQbp9WoqinNzJar+8KY+LPI6wiWrP/myHw=
+github.com/Azure/go-autorest/autorest/date v0.3.0/go.mod h1:BI0uouVdmngYNUzGWeSYnokU+TrmwEsOqdt8Y6sso74=
+github.com/Azure/go-autorest/autorest/mocks v0.4.1 h1:K0laFcLE6VLTOwNgSxaGbUcLPuGXlNkbVvq4cW4nIHk=
+github.com/Azure/go-autorest/autorest/mocks v0.4.1/go.mod h1:LTp+uSrOhSkaKrUy935gNZuuIPPVsHlr9DSOxSayd+k=
+github.com/Azure/go-autorest/autorest/to v0.4.0 h1:oXVqrxakqqV1UZdSazDOPOLvOIz+XA683u8EctwboHk=
+github.com/Azure/go-autorest/autorest/to v0.4.0/go.mod h1:fE8iZBn7LQR7zH/9XU2NcPR4o9jEImooCeWJcYV/zLE=
+github.com/Azure/go-autorest/autorest/validation v0.3.0 h1:3I9AAI63HfcLtphd9g39ruUwRI+Ca+z/f36KHPFRUss=
+github.com/Azure/go-autorest/autorest/validation v0.3.0/go.mod h1:yhLgjC0Wda5DYXl6JAsWyUe4KVNffhoDhG0zVzUMo3E=
+github.com/Azure/go-autorest/logger v0.2.0 h1:e4RVHVZKC5p6UANLJHkM4OfR1UKZPj8Wt8Pcx+3oqrE=
+github.com/Azure/go-autorest/logger v0.2.0/go.mod h1:T9E3cAhj2VqvPOtCYAvby9aBXkZmbF5NWuPV8+WeEW8=
+github.com/Azure/go-autorest/tracing v0.6.0 h1:TYi4+3m5t6K48TGI9AUdb+IzbnSxvnvUMfuitfgcfuo=
+github.com/Azure/go-autorest/tracing v0.6.0/go.mod h1:+vhtPC754Xsa23ID7GlGsrdKBpUA79WCAKPPZVC2DeU=
+github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
+github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TRo4=
+github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8=
+github.com/form3tech-oss/jwt-go v3.2.2+incompatible h1:TcekIExNqud5crz4xD2pavyTgWiPvpYe4Xau31I0PRk=
+github.com/form3tech-oss/jwt-go v3.2.2+incompatible/go.mod h1:pbq4aXjuKjdthFRnoDwaVPLA+WlJuPGy+QneDUgJi2k=
+github.com/mitchellh/go-homedir v1.1.0 h1:lukF9ziXFxDFPkA1vsr5zpc1XuPDn/wFntq5mG+4E0Y=
+github.com/mitchellh/go-homedir v1.1.0/go.mod h1:SfyaCUpYCn1Vlf4IUYiD9fPX4A5wJrkLzIz1N1q0pr0=
+github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
+github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
+golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
+golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0 h1:hb9wdF1z5waM+dSIICn1l0DkLVDT3hqhhQsDNUmHPRE=
+golang.org/x/crypto v0.0.0-20201002170205-7f63de1d35b0/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg=
+golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
+golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

main.go

@@ -0,0 +1,92 @@
+package main
+
+import (
+	"context"
+	"fmt"
+	"log"
+	"os"
+	"strings"
+
+	"github.com/Azure/azure-sdk-for-go/services/keyvault/2016-10-01/keyvault"
+	"github.com/Azure/go-autorest/autorest"
+	"github.com/Azure/go-autorest/autorest/azure"
+	"github.com/Azure/go-autorest/autorest/azure/auth"
+)
+
+func main() {
+	vaultName, ok := os.LookupEnv("KEYVAULT_VAULT_NAME")
+	if !ok {
+		log.Fatal("KEYVAULT_VAULT_NAME must be set.")
+	}
+
+	secretName, ok := os.LookupEnv("KEYVAULT_SECRET_NAME")
+	if !ok {
+		log.Fatal("KEYVAULT_SECRET_NAME must be set.")
+	}
+
+	clientID := os.Getenv("MSI_USER_ASSIGNED_CLIENTID")
+
+	keyClient, err := NewKeyVaultClient(vaultName, clientID)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	secret, err := keyClient.GetSecret(secretName)
+	if err != nil {
+		log.Fatal(err)
+	}
+
+	log.Printf("Retrieved secret '%s' from keyvault using MSI", secret)
+}
+
+// KeyVault holds the information for a keyvault instance
+type KeyVault struct {
+	client   *keyvault.BaseClient
+	vaultURL string
+}
+
+// NewKeyVaultClient creates a new keyvault client
+func NewKeyVaultClient(vaultName, clientID string) (*KeyVault, error) {
+	// Change this to change auth method. Add new auth methods to change how
+	// auth is setup
+	authorizer, err := getMSIAuthorizer(clientID)
+	// authorizer, err := getAuthorizerFromEnv()
+	if err != nil {
+		return nil, err
+	}
+
+	keyClient := keyvault.New()
+	keyClient.Authorizer = authorizer
+
+	k := &KeyVault{
+		vaultURL: fmt.Sprintf("https://%s.%s", vaultName, azure.PublicCloud.KeyVaultDNSSuffix),
+		client:   &keyClient,
+	}
+
+	return k, nil
+}
+
+func getMSIAuthorizer(clientID string) (autorest.Authorizer, error) {
+	msiKeyConfig := &auth.MSIConfig{
+		Resource: strings.TrimSuffix(azure.PublicCloud.KeyVaultEndpoint, "/"),
+		ClientID: clientID,
+	}
+
+	return msiKeyConfig.Authorizer()
+}
+
+func getAuthorizerFromEnv() (autorest.Authorizer, error) {
+	return auth.NewAuthorizerFromEnvironment()
+}
+
+// GetSecret retrieves a secret from keyvault
+func (k *KeyVault) GetSecret(keyName string) (string, error) {
+	ctx := context.Background()
+
+	keyBundle, err := k.client.GetSecret(ctx, k.vaultURL, keyName, "")
+	if err != nil {
+		return "", err
+	}
+
+	return *keyBundle.Value, nil
+}

main.tf

@@ -0,0 +1,131 @@
+# Setup the resource group, key vault, and container registry
+provider "azurerm" {
+    features {}
+}
+resource "random_string" "default" {
+    length = 4
+    special = false
+}
+data "azurerm_client_config" "current" {}
+
+locals {
+    name_prefix = "${var.name}-${random_string.default.result}"
+}
+resource "azurerm_resource_group" "default" {
+  name     = "${local.name_prefix}-rsg"
+  location = var.location
+}
+resource "azurerm_key_vault" "default" {
+    name = "${local.name_prefix}-kv"
+    location = var.location
+    tenant_id = data.azurerm_client_config.current.tenant_id
+    sku_name = "standard"
+    resource_group_name = azurerm_resource_group.default.name
+}
+resource "azurerm_key_vault_access_policy" "secret_set" {
+  key_vault_id = azurerm_key_vault.default.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = data.azurerm_client_config.current.object_id
+
+  secret_permissions = [
+    "get",
+    "set",
+    "delete",
+  ]
+}
+resource "azurerm_key_vault_secret" "example" {
+    depends_on = [azurerm_key_vault_access_policy.secret_set]
+    key_vault_id = azurerm_key_vault.default.id
+    name = "test-secret"
+    value = "A Secret"
+}
+resource "azurerm_user_assigned_identity" "default" {
+  resource_group_name = azurerm_resource_group.default.name
+  location            = azurerm_resource_group.default.location
+
+  name = "${var.name}-msi"
+}
+
+resource "azurerm_key_vault_access_policy" "secret_get" {
+  key_vault_id = azurerm_key_vault.default.id
+
+  tenant_id = data.azurerm_client_config.current.tenant_id
+  object_id = azurerm_user_assigned_identity.default.principal_id
+
+  secret_permissions = [
+    "get",
+  ]
+}
+
+resource "azurerm_app_service_plan" "default" {
+  name                = "${local.name_prefix}-svc-plan"
+  resource_group_name = azurerm_resource_group.default.name
+  location            = var.location
+  kind                = "Linux"
+  reserved            = true
+
+  sku {
+    tier = "Standard"
+    size = "S1"
+  }
+}
+
+resource "azurerm_app_service" "default" {
+  name                = "${local.name_prefix}-app"
+  resource_group_name = azurerm_resource_group.default.name
+  location            = var.location
+  app_service_plan_id = azurerm_app_service_plan.default.id
+  https_only          = true
+
+  identity {
+    type = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.default.id]
+  }
+
+  site_config {
+    always_on        = true
+    linux_fx_version = "DOCKER|${var.docker_image}"
+  }
+
+  app_settings = {
+    "WEBSITES_ENABLE_APP_SERVICE_STORAGE" = "false"
+    "WEBSITES_PORT"                       = "8080"
+    "KEYVAULT_VAULT_NAME"                 = "${azurerm_key_vault.default.name}"
+    "KEYVAULT_SECRET_NAME"                = "${azurerm_key_vault_secret.example.name}"
+    "MSI_USER_ASSIGNED_IDENTITY_CLIENTID" = "${azurerm_user_assigned_identity.default.client_id}"
+  }
+  auth_settings {
+    enabled          = false
+  }
+}
+
+resource "azurerm_container_group" "example" {
+  name                = "${local.name_prefix}-container"
+  location            = azurerm_resource_group.default.location
+  resource_group_name = azurerm_resource_group.default.name
+  ip_address_type     = "public"
+  dns_name_label      = "aci-label"
+  os_type             = "Linux"
+  identity {
+    type = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.default.id]
+  }
+
+  container {
+    name   = "hello-world"
+    image  = var.docker_image
+    cpu    = "0.5"
+    memory = "1.5"
+    ports {
+      port     = 443
+      protocol = "TCP"
+    }
+    environment_variables = {
+        "KEYVAULT_VAULT_NAME"                 = "${azurerm_key_vault.default.name}"
+        "KEYVAULT_SECRET_NAME"                = "${azurerm_key_vault_secret.example.name}"
+        "MSI_USER_ASSIGNED_IDENTITY_CLIENTID" = "${azurerm_user_assigned_identity.default.client_id}"
+
+    }
+  }
+}

outputs.tf

@@ -0,0 +1,3 @@
+output "resource_group_name" {
+    value = azurerm_resource_group.default.name
+}

variables.tf

@@ -0,0 +1,10 @@
+variable "name" {
+    description = "Name to use"
+}
+variable "location" {
+    description = "Region to deploy to"
+    default = "westus2"
+}
+variable "docker_image" {
+    description = "Docker image to deploy"
+}