Canonical Juju

[feature] Allow juju to bootstrap on Azure via managed identity credentials

Bug #2051929 reported by Diko Parvanov on 2024-02-01

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	Canonical Juju	Triaged	Wishlist	Unassigned

Bug Description

Seems the current auth types are interactive, service-principal-secret, but no way to use managed identity (https://learn.microsoft.com/en-us/entra/identity/managed-identities-azure-resources/overview) - it would be good to have this option, as we do with IAM roles in AWS - where we don't have to manually manage credentials, but the applications themselves trying to interact with bootstrapping a juju controller on Azure can extract such via the metadata service in an instance.

This will be particularly useful when automating the bootstrapping of juju controller on Azure without any user intervention.

See original description

Tags:

Diko Parvanov (dparv) on 2024-02-02

description:

updated

Ian Booth (wallyworld) on 2024-02-22

tags:	added: azure-provider
Changed in juju:
status:	New → Triaged
importance:	Undecided → Wishlist

Revision history for this message

John A Meinel (jameinel) wrote on 2024-02-22:

As a feature, this gets put into Wishlist, but we are evaluating our roadmap and figuring out how we can pull this in.

Revision history for this message

Ian Booth (wallyworld) wrote on 2024-02-22 (last edit on 2024-02-22):

Referencing the Juju AWS IAM support, can you confirm the workflow you would prefer to use?
Note: we would be reusing the term "instance-role" to refer to the managed identity name, since this is the name of the constraint attribute already chosen and constraint attributes are used across providers.

For AWS we support 2 workflows. So we could do the same for Azure...

1. Have Juju create a suitable managed identity similar to what we do AWS:

$ juju bootstrap --bootstrap-constraints="instance-role=auto" azure

2. Create a user assigned managed identity "foo" in resource group "myrg", assign permissions, then

$ juju bootstrap -bootstrap-constraints="instance-role=foo" --config resource-group-name=myrg azure

I guess you'd want to be able to use either workflow?

Revision history for this message

Ian Booth (wallyworld) wrote on 2024-02-23:

The other thing is that we already have a "Juju" Enterprise Application set up, with relevant roles defined. We could look at simply assigning the required role to the controller vms when they are provisioned (if "auto" is specified for the constraint). I am not 100% sure, but maybe this is all we'd need to do to allow a zero config ManagedIdentityCredential to be used by the controller to operate the cloud.

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.