synced/coder
1
0
Fork 0
mirror of https://github.com/coder/coder.git synced 2025-07-03 16:13:58 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: Add Azure instance identitity authentication (#1064)

Browse Source 
This enables zero-trust authentication for Azure instances. Now
we support the three major clouds: AWS, Azure, and GCP 😎.
This commit is contained in:
Kyle Carberry
2022-04-19 08:48:13 -05:00
committed by GitHub
parent 118a47e4e1
commit c8246e3e8a
13 changed files with 348 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
coderd/workspaceresourceauth.go
View File

@ -8,6 +8,7 @@ import (
"net/http"
"github.com/coder/coder/coderd/awsidentity"
"github.com/coder/coder/coderd/azureidentity"
"github.com/coder/coder/coderd/database"
"github.com/coder/coder/coderd/httpapi"
"github.com/coder/coder/codersdk"
@ -15,6 +16,23 @@ import (
"github.com/mitchellh/mapstructure"
)
// Azure supports instance identity verification:
// https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux#tabgroup_14
func (api *api) postWorkspaceAuthAzureInstanceIdentity(rw http.ResponseWriter, r *http.Request) {
var req codersdk.AzureInstanceIdentityToken
if !httpapi.Read(rw, r, &req) {
return
}
instanceID, err := azureidentity.Validate(r.Context(), req.Signature, api.AzureCertificates)
if err != nil {
httpapi.Write(rw, http.StatusUnauthorized, httpapi.Response{
Message: fmt.Sprintf("validate: %s", err),
})
return
}
api.handleAuthInstanceID(rw, r, instanceID)
}
// AWS supports instance identity verification:
// https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html
// Using this, we can exchange a signed instance payload for an agent token.