Instead of passing keys and secrets for PaaS resouces, we use the notion of managed identies. Managed Identities operate on behalf of the user and have RBAC access configured for PaaS resources.
Azure Service Principals are a special type of active directory account which is used for on-behalf-of access to restricted resources. These service principals are also known as Managed Service Identities (MSI).
When running locally the Managed Service Identity is the current user configured
via az cli
First time configuration
$ az login
Reconfiguration
# Show the current MSI
$ az account show
# list current accounts
$ az account list
# Set the MSI for specific tenant
$ az account set <id>
When deploying to Kuberenetes, Azure Active Directory (AAD) Pod Identities are used. This is configured as a Custom Resource Defition (CRD) in Kubernetes. This is configured here.
$ az ad sp create-for-rbac --name <ServicePrincipalName>
Output
{
"appId": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"displayName": "ServicePrincipalName",
"name": "http://ServicePrincipalName",
"password": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"tenant": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
Remember this password, you will have to reset if you forget. This is your client secret
$ az ad sp list --display-name ServicePrincipalName --query '[].{"appId":"appId", "objectId":"objectId"}'
$ az ad sp credential reset --name <ServicePrincipalName>
or
$ az ad sp credential reset --name <appId>
- Select your PaaS resource (e.g., blob storage) and select Access Control (IAM).
- Click + Add at the top and select the roles
- Select your Service Principal and the roles required
- Blob Storage contributor
- Queue Contributor
Google Service Accounts are akin to Azure Active Directory Service Principals and must be configured for the Ingestion API to gain access to PaaS resources.
NOTE: You must set the google application credentials environment variable, unless running on GKE
- Create a service account in GCP
- Go to https://console.developers.google.com/iam-admin/iam?project=[YOUR-PROJECT-ID]
- Navigate to Service Accounts
- Create Service Account and create a Key (JSON format)
- Set Roles for the Service account
- Download the JSON key from the GCP console and store locally (not in git)
- Set the
GOOGLE_APPLICATION_CREDENTIALS
environement variable (shown below)
$ export GOOGLE_APPLICATION_CREDENTIALS="<path to JSON file>"
> $env:GOOGLE_APPLICATION_CREDENTIALS="<path to JSON file>"