[feature] Allow juju to bootstrap on Azure via managed identity credentials

Bug #2051929 reported by Diko Parvanov
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical Juju

Bug Description

Seems the current auth types are interactive, service-principal-secret, but no way to use managed identity (https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) - it would be good to have this option, as we do with IAM roles in AWS - where we don't have to manually manage credentials, but the applications themselves trying to interact with bootstrapping a juju controller on Azure can extract such via the metadata service in an instance.

This will be particularly useful when automating the bootstrapping of juju controller on Azure without any user intervention.

Diko Parvanov (dparv)
description: updated
Ian Booth (wallyworld)
tags: added: azure-provider
Changed in juju:
status: New → Triaged
importance: Undecided → Wishlist
Revision history for this message
John A Meinel (jameinel) wrote :

As a feature, this gets put into Wishlist, but we are evaluating our roadmap and figuring out how we can pull this in.

Revision history for this message
Ian Booth (wallyworld) wrote (last edit ):

Referencing the Juju AWS IAM support, can you confirm the workflow you would prefer to use?
Note: we would be reusing the term "instance-role" to refer to the managed identity name, since this is the name of the constraint attribute already chosen and constraint attributes are used across providers.

For AWS we support 2 workflows. So we could do the same for Azure...

1. Have Juju create a suitable managed identity similar to what we do AWS:

$ juju bootstrap --bootstrap-constraints="instance-role=auto" azure

2. Create a user assigned managed identity "foo" in resource group "myrg", assign permissions, then

$ juju bootstrap -bootstrap-constraints="instance-role=foo" --config resource-group-name=myrg azure

I guess you'd want to be able to use either workflow?

Revision history for this message
Ian Booth (wallyworld) wrote :

The other thing is that we already have a "Juju" Enterprise Application set up, with relevant roles defined. We could look at simply assigning the required role to the controller vms when they are provisioned (if "auto" is specified for the constraint). I am not 100% sure, but maybe this is all we'd need to do to allow a zero config ManagedIdentityCredential to be used by the controller to operate the cloud.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.