diff --git a/backend/remote-state/azure/arm_client.go b/backend/remote-state/azure/arm_client.go index bcc511a44..ff6ff9200 100644 --- a/backend/remote-state/azure/arm_client.go +++ b/backend/remote-state/azure/arm_client.go @@ -80,17 +80,19 @@ func buildArmClient(config BackendConfig) (*ArmClient, error) { return nil, err } - auth, err := armConfig.GetAuthorizationToken(oauthConfig, env.TokenAudience) + sender := buildSender() + + auth, err := armConfig.GetAuthorizationToken(sender, oauthConfig, env.TokenAudience) if err != nil { return nil, err } accountsClient := armStorage.NewAccountsClientWithBaseURI(env.ResourceManagerEndpoint, armConfig.SubscriptionID) - client.configureClient(&accountsClient.Client, auth) + client.configureClient(&accountsClient.Client, sender, auth) client.storageAccountsClient = &accountsClient groupsClient := resources.NewGroupsClientWithBaseURI(env.ResourceManagerEndpoint, armConfig.SubscriptionID) - client.configureClient(&groupsClient.Client, auth) + client.configureClient(&groupsClient.Client, sender, auth) client.groupsClient = &groupsClient return &client, nil @@ -151,10 +153,10 @@ func (c ArmClient) getBlobClient(ctx context.Context) (*storage.BlobStorageClien return &client, nil } -func (c *ArmClient) configureClient(client *autorest.Client, auth autorest.Authorizer) { +func (c *ArmClient) configureClient(client *autorest.Client, sender autorest.Sender, auth autorest.Authorizer) { client.UserAgent = buildUserAgent() client.Authorizer = auth - client.Sender = buildSender() + client.Sender = sender client.SkipResourceProviderRegistration = false client.PollingDuration = 60 * time.Minute } diff --git a/go.mod b/go.mod index 6ba3e79de..4a1e1c9d8 100644 --- a/go.mod +++ b/go.mod @@ -5,9 +5,6 @@ require ( github.com/Azure/azure-sdk-for-go v31.2.0+incompatible github.com/Azure/go-autorest/autorest v0.5.0 github.com/Azure/go-autorest/autorest/adal v0.2.0 - github.com/Azure/go-autorest/autorest/azure/cli v0.1.0 // indirect - github.com/Azure/go-autorest/autorest/to v0.2.0 // indirect - github.com/Azure/go-autorest/autorest/validation v0.1.0 // indirect github.com/Unknwon/com v0.0.0-20151008135407-28b053d5a292 // indirect github.com/abdullin/seq v0.0.0-20160510034733-d5467c17e7af // indirect github.com/agext/levenshtein v1.2.2 @@ -48,7 +45,7 @@ require ( github.com/hashicorp/aws-sdk-go-base v0.2.0 github.com/hashicorp/consul v0.0.0-20171026175957-610f3c86a089 github.com/hashicorp/errwrap v1.0.0 - github.com/hashicorp/go-azure-helpers v0.0.0-20190129193224-166dfd221bb2 + github.com/hashicorp/go-azure-helpers v0.5.0 github.com/hashicorp/go-checkpoint v0.5.0 github.com/hashicorp/go-cleanhttp v0.5.0 github.com/hashicorp/go-getter v1.3.1-0.20190627223108-da0323b9545e diff --git a/go.sum b/go.sum index 642582641..5b19c3e22 100644 --- a/go.sum +++ b/go.sum @@ -11,12 +11,10 @@ dmitri.shuralyov.com/html/belt v0.0.0-20180602232347-f7d459c86be0/go.mod h1:JLBr dmitri.shuralyov.com/service/change v0.0.0-20181023043359-a85b471d5412/go.mod h1:a1inKt/atXimZ4Mv927x+r7UpyzRUf4emIoiiSC2TN4= dmitri.shuralyov.com/state v0.0.0-20180228185332-28bcc343414c/go.mod h1:0PRwlb0D6DFvNNtx+9ybjezNCa8XF0xaYcETyp6rHWU= git.apache.org/thrift.git v0.0.0-20180902110319-2566ecd5d999/go.mod h1:fPE2ZNJGynbRyZ4dJvy6G277gSllfV2HJqblrnkyeyg= -github.com/Azure/azure-sdk-for-go v21.3.0+incompatible h1:YFvAka2WKAl2xnJkYV1e1b7E2z88AgFszDzWU18ejMY= -github.com/Azure/azure-sdk-for-go v21.3.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= +github.com/Azure/azure-sdk-for-go v31.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v31.2.0+incompatible h1:kZFnTLmdQYNGfakatSivKHUfUnDZhqNdchHD4oIhp5k= github.com/Azure/azure-sdk-for-go v31.2.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= -github.com/Azure/go-autorest v12.3.0+incompatible h1:iw0EvmwwEhv8JzEFfbKNJjnrHJqiH5NlKqhdYiKXRUQ= -github.com/Azure/go-autorest v12.3.0+incompatible/go.mod h1:r+4oMnoxhatjLLJ6zxSWATqVooLgysK6ZNox3g/xq24= +github.com/Azure/go-autorest/autorest v0.3.0/go.mod h1:AKyIcETwSUFxIcs/Wnq/C+kwCtlEYGUVd7FPNb2slmg= github.com/Azure/go-autorest/autorest v0.5.0 h1:Mlm9qy2fpQ9MvfyI41G2Zf5B4CsgjjNbLOWszfK6KrY= github.com/Azure/go-autorest/autorest v0.5.0/go.mod h1:9HLKlQjVBH6U3oDfsXOeVc56THsLPw1L03yban4xThw= github.com/Azure/go-autorest/autorest/adal v0.1.0/go.mod h1:MeS4XhScH55IST095THyTxElntu7WqB7pNbZo8Q5G3E= @@ -126,8 +124,6 @@ github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/dgrijalva/jwt-go v3.2.0+incompatible h1:7qlOGliEKZXTDg6OTjfoBKDXWrumCAMpl/TFQ4/5kLM= github.com/dgrijalva/jwt-go v3.2.0+incompatible/go.mod h1:E3ru+11k8xSBh+hMPgOLZmtrrCbhqsmaPHjLKYnJCaQ= -github.com/dimchansky/utfbom v1.0.0 h1:fGC2kkf4qOoKqZ4q7iIh+Vef4ubC1c38UDsEyZynZPc= -github.com/dimchansky/utfbom v1.0.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/dimchansky/utfbom v1.1.0 h1:FcM3g+nofKgUteL8dm/UpdRXNC9KmADgTpLKsu0TRo4= github.com/dimchansky/utfbom v1.1.0/go.mod h1:rO41eb7gLfo8SF1jd9F8HplJm1Fewwi4mQvIirEdv+8= github.com/dnaeon/go-vcr v0.0.0-20180920040454-5637cf3d8a31 h1:Dzuw9GtbmllUqEcoHfScT9YpKFUssSiZ5PgZkIGf/YQ= @@ -213,8 +209,8 @@ github.com/hashicorp/consul v0.0.0-20171026175957-610f3c86a089/go.mod h1:mFrjN1m github.com/hashicorp/errwrap v0.0.0-20180715044906-d6c0cd880357/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= github.com/hashicorp/errwrap v1.0.0 h1:hLrqtEDnRye3+sgx6z4qVLNuviH3MR5aQ0ykNJa/UYA= github.com/hashicorp/errwrap v1.0.0/go.mod h1:YH+1FKiLXxHSkmPseP+kNlulaMuP3n2brvKWEqk/Jc4= -github.com/hashicorp/go-azure-helpers v0.0.0-20190129193224-166dfd221bb2 h1:VBRx+yPYUZaobnn5ANBcOUf4hhWpTHSQgftG4TcDkhI= -github.com/hashicorp/go-azure-helpers v0.0.0-20190129193224-166dfd221bb2/go.mod h1:lu62V//auUow6k0IykxLK2DCNW8qTmpm8KqhYVWattA= +github.com/hashicorp/go-azure-helpers v0.5.0 h1:GW5YJKeeMfyIEZjiVf84Av2W6FizMwS1OYLtDwDwah0= +github.com/hashicorp/go-azure-helpers v0.5.0/go.mod h1:1kVoV5ZV0b/Wc/Rck7dKgW0MhmUrZiRxt/OnG42Yeow= github.com/hashicorp/go-checkpoint v0.5.0 h1:MFYpPZCnQqQTE18jFwSII6eUQrD/oxMFp3mlgcqk5mU= github.com/hashicorp/go-checkpoint v0.5.0/go.mod h1:7nfLNL10NsxqO4iWuW6tWW0HjZuDrwkBuEQsVcpCOgg= github.com/hashicorp/go-cleanhttp v0.5.0 h1:wvCrVc9TjDls6+YGAF2hAifE1E5U1+b4tH6KdvN3Gig= @@ -499,7 +495,6 @@ golang.org/x/build v0.0.0-20190111050920-041ab4dc3f9d/go.mod h1:OWs+y06UdEOHN4y+ golang.org/x/crypto v0.0.0-20180816225734-aabede6cba87/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20180904163835-0709b304e793/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20181030102418-4d3f4d9ffa16/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= -golang.org/x/crypto v0.0.0-20181112202954-3d3f9f413869/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2 h1:NwxKRvbkH5MsNkvOtPZi3/3kmI8CAzs3mtv+GLQMkNo= golang.org/x/crypto v0.0.0-20190219172222-a4c6cb3142f2/go.mod h1:6SG95UA2DQfeDnfUPMdvaQW0Q7yPrPDi9nlGo2tz2b4= golang.org/x/crypto v0.0.0-20190222235706-ffb98f73852f h1:qWFY9ZxP3tfI37wYIs/MnIAqK0vlXp1xnYEa5HxFSSY= diff --git a/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method.go b/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method.go index d599b2eee..cbc73d562 100644 --- a/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method.go +++ b/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method.go @@ -10,7 +10,7 @@ type authMethod interface { isApplicable(b Builder) bool - getAuthorizationToken(oauthConfig *adal.OAuthConfig, endpoint string) (*autorest.BearerAuthorizer, error) + getAuthorizationToken(sender autorest.Sender, oauthConfig *adal.OAuthConfig, endpoint string) (*autorest.BearerAuthorizer, error) name() string diff --git a/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method_azure_cli_token.go b/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method_azure_cli_token.go index 8f0927527..184037d1b 100644 --- a/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method_azure_cli_token.go +++ b/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method_azure_cli_token.go @@ -15,6 +15,7 @@ import ( type azureCliTokenAuth struct { profile *azureCLIProfile + servicePrincipalAuthDocsLink string } func (a azureCliTokenAuth) build(b Builder) (authMethod, error) { @@ -25,6 +26,7 @@ func (a azureCliTokenAuth) build(b Builder) (authMethod, error) { subscriptionId: b.SubscriptionID, tenantId: b.TenantID, }, + servicePrincipalAuthDocsLink: b.ClientSecretDocsLink, } profilePath, err := cli.ProfilePath() if err != nil { @@ -38,6 +40,17 @@ func (a azureCliTokenAuth) build(b Builder) (authMethod, error) { auth.profile.profile = profile + // Authenticating as a Service Principal doesn't return all of the information we need for authentication purposes + // as such Service Principal authentication is supported using the specific auth method + if authenticatedAsAUser := auth.profile.verifyAuthenticatedAsAUser(); !authenticatedAsAUser { + return nil, fmt.Errorf(`Authenticating using the Azure CLI is only supported as a User (not a Service Principal). + +To authenticate to Azure using a Service Principal, you can use the separate 'Authenticate using a Service Principal' +auth method - instructions for which can be found here: %s + +Alternatively you can authenticate using the Azure CLI by using a User Account.`, auth.servicePrincipalAuthDocsLink) + } + err = auth.profile.populateFields() if err != nil { return nil, fmt.Errorf("Error retrieving the Profile from the Azure CLI: %s Please re-authenticate using `az login`.", err) @@ -55,7 +68,7 @@ func (a azureCliTokenAuth) isApplicable(b Builder) bool { return b.SupportsAzureCliToken } -func (a azureCliTokenAuth) getAuthorizationToken(oauthConfig *adal.OAuthConfig, endpoint string) (*autorest.BearerAuthorizer, error) { +func (a azureCliTokenAuth) getAuthorizationToken(sender autorest.Sender, oauthConfig *adal.OAuthConfig, endpoint string) (*autorest.BearerAuthorizer, error) { // the Azure CLI appears to cache these, so to maintain compatibility with the interface this method is intentionally not on the pointer token, err := obtainAuthorizationToken(endpoint, a.profile.subscriptionId) if err != nil { diff --git a/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method_client_cert.go b/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method_client_cert.go index 00a0d2794..f6dd9b77e 100644 --- a/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method_client_cert.go +++ b/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method_client_cert.go @@ -41,7 +41,7 @@ func (a servicePrincipalClientCertificateAuth) name() string { return "Service Principal / Client Certificate" } -func (a servicePrincipalClientCertificateAuth) getAuthorizationToken(oauthConfig *adal.OAuthConfig, endpoint string) (*autorest.BearerAuthorizer, error) { +func (a servicePrincipalClientCertificateAuth) getAuthorizationToken(sender autorest.Sender, oauthConfig *adal.OAuthConfig, endpoint string) (*autorest.BearerAuthorizer, error) { certificateData, err := ioutil.ReadFile(a.clientCertPath) if err != nil { return nil, fmt.Errorf("Error reading Client Certificate %q: %v", a.clientCertPath, err) @@ -58,6 +58,8 @@ func (a servicePrincipalClientCertificateAuth) getAuthorizationToken(oauthConfig return nil, err } + spt.SetSender(sender) + err = spt.Refresh() if err != nil { return nil, err diff --git a/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method_client_secret.go b/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method_client_secret.go index 4e41d5a93..f31bc20e8 100644 --- a/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method_client_secret.go +++ b/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method_client_secret.go @@ -33,11 +33,12 @@ func (a servicePrincipalClientSecretAuth) name() string { return "Service Principal / Client Secret" } -func (a servicePrincipalClientSecretAuth) getAuthorizationToken(oauthConfig *adal.OAuthConfig, endpoint string) (*autorest.BearerAuthorizer, error) { +func (a servicePrincipalClientSecretAuth) getAuthorizationToken(sender autorest.Sender, oauthConfig *adal.OAuthConfig, endpoint string) (*autorest.BearerAuthorizer, error) { spt, err := adal.NewServicePrincipalToken(*oauthConfig, a.clientId, a.clientSecret, endpoint) if err != nil { return nil, err } + spt.SetSender(sender) auth := autorest.NewBearerAuthorizer(spt) return auth, nil diff --git a/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method_msi.go b/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method_msi.go index 9b0de8f5d..883df2607 100644 --- a/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method_msi.go +++ b/vendor/github.com/hashicorp/go-azure-helpers/authentication/auth_method_msi.go @@ -39,11 +39,14 @@ func (a managedServiceIdentityAuth) name() string { return "Managed Service Identity" } -func (a managedServiceIdentityAuth) getAuthorizationToken(oauthConfig *adal.OAuthConfig, endpoint string) (*autorest.BearerAuthorizer, error) { +func (a managedServiceIdentityAuth) getAuthorizationToken(sender autorest.Sender, oauthConfig *adal.OAuthConfig, endpoint string) (*autorest.BearerAuthorizer, error) { spt, err := adal.NewServicePrincipalTokenFromMSI(a.endpoint, endpoint) if err != nil { return nil, err } + + spt.SetSender(sender) + auth := autorest.NewBearerAuthorizer(spt) return auth, nil } diff --git a/vendor/github.com/hashicorp/go-azure-helpers/authentication/azure_cli_profile.go b/vendor/github.com/hashicorp/go-azure-helpers/authentication/azure_cli_profile.go index 39fb30ddd..187602401 100644 --- a/vendor/github.com/hashicorp/go-azure-helpers/authentication/azure_cli_profile.go +++ b/vendor/github.com/hashicorp/go-azure-helpers/authentication/azure_cli_profile.go @@ -1,6 +1,8 @@ package authentication import ( + "strings" + "github.com/Azure/go-autorest/autorest/azure/cli" ) @@ -33,3 +35,18 @@ func (a *azureCLIProfile) populateFields() error { // always pull the environment from the Azure CLI, since the Access Token's associated with it return a.populateEnvironment() } + +func (a *azureCLIProfile) verifyAuthenticatedAsAUser() bool { + for _, subscription := range a.profile.Subscriptions { + if subscription.User == nil { + continue + } + + authenticatedAsAUser := strings.EqualFold(subscription.User.Type, "user") + if authenticatedAsAUser { + return true + } + } + + return false +} \ No newline at end of file diff --git a/vendor/github.com/hashicorp/go-azure-helpers/authentication/builder.go b/vendor/github.com/hashicorp/go-azure-helpers/authentication/builder.go index e37e8b137..8a187c6bb 100644 --- a/vendor/github.com/hashicorp/go-azure-helpers/authentication/builder.go +++ b/vendor/github.com/hashicorp/go-azure-helpers/authentication/builder.go @@ -33,6 +33,7 @@ type Builder struct { // Service Principal (Client Secret) Auth SupportsClientSecretAuth bool ClientSecret string + ClientSecretDocsLink string } // Build takes the configuration from the Builder and builds up a validated Config diff --git a/vendor/github.com/hashicorp/go-azure-helpers/authentication/config.go b/vendor/github.com/hashicorp/go-azure-helpers/authentication/config.go index c3068152f..90b78fce0 100644 --- a/vendor/github.com/hashicorp/go-azure-helpers/authentication/config.go +++ b/vendor/github.com/hashicorp/go-azure-helpers/authentication/config.go @@ -22,8 +22,8 @@ type Config struct { } // GetAuthorizationToken returns an authorization token for the authentication method defined in the Config -func (c Config) GetAuthorizationToken(oauthConfig *adal.OAuthConfig, endpoint string) (*autorest.BearerAuthorizer, error) { - return c.authMethod.getAuthorizationToken(oauthConfig, endpoint) +func (c Config) GetAuthorizationToken(sender autorest.Sender, oauthConfig *adal.OAuthConfig, endpoint string) (*autorest.BearerAuthorizer, error) { + return c.authMethod.getAuthorizationToken(sender, oauthConfig, endpoint) } func (c Config) validate() (*Config, error) { diff --git a/vendor/modules.txt b/vendor/modules.txt index 768ad16df..23329b6fe 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -312,7 +312,7 @@ github.com/hashicorp/consul/lib/freeport github.com/hashicorp/consul/testutil/retry # github.com/hashicorp/errwrap v1.0.0 github.com/hashicorp/errwrap -# github.com/hashicorp/go-azure-helpers v0.0.0-20190129193224-166dfd221bb2 +# github.com/hashicorp/go-azure-helpers v0.5.0 github.com/hashicorp/go-azure-helpers/authentication github.com/hashicorp/go-azure-helpers/storage # github.com/hashicorp/go-checkpoint v0.5.0