in pkg/auth/cred.go [49:107]
func NewCredential(cfg *Config, authorizer autorest.Authorizer) (azcore.TokenCredential, error) {
if cfg == nil {
return nil, fmt.Errorf("failed to create credential, nil config provided")
}
// Azure AD Workload Identity webhook will inject the following env vars:
// AZURE_FEDERATED_TOKEN_FILE is the service account token path
// AZURE_AUTHORITY_HOST is the AAD authority hostname
tokenFilePath := os.Getenv("AZURE_FEDERATED_TOKEN_FILE")
authority := os.Getenv("AZURE_AUTHORITY_HOST")
if tokenFilePath == "" || authority == "" {
return nil, fmt.Errorf("required environment variables not set, AZURE_FEDERATED_TOKEN_FILE: %s, AZURE_AUTHORITY_HOST: %s", tokenFilePath, authority)
}
c := &ClientAssertionCredential{file: tokenFilePath}
var cred confidential.Credential
isE2E := utils.WithDefaultBool("E2E_TEST_MODE", false)
if isE2E {
armClientCert, err := getE2ETestingCert(authorizer)
if err != nil {
return nil, err
}
certPEM, keyPEM := splitPEMBlock([]byte(to.String(armClientCert)))
if len(certPEM) == 0 {
return nil, errors.New("malformed cert pem format")
}
// Load client cert
cert, err := tls.X509KeyPair(certPEM, keyPEM)
if err != nil {
return nil, err
}
leafCert := []tls.Certificate{cert}
cred, err = confidential.NewCredFromCert([]*x509.Certificate{leafCert[0].Leaf}, keyPEM)
if err != nil {
return nil, err
}
} else {
cred = confidential.NewCredFromAssertionCallback(
func(ctx context.Context, _ confidential.AssertionRequestOptions) (string, error) {
return c.readJWTFromFS()
},
)
}
// create the confidential client to request an AAD token
confidentialClientApp, err := confidential.New(
fmt.Sprintf("%s%s/oauth2/token", authority, cfg.TenantID),
cfg.UserAssignedIdentityID,
cred)
if err != nil {
return nil, fmt.Errorf("failed to create confidential client app: %w", err)
}
c.client = confidentialClientApp
return c, nil
}