Add configuration for auth

Author: reinkrul

crypto/cmd/cmd.go

@@ -47,6 +47,7 @@ func FlagSet() *pflag.FlagSet {
 	flags.String("crypto.azurekv.url", defs.AzureKeyVault.URL, "The URL of the Azure Key Vault.")
 	flags.Duration("crypto.azurekv.timeout", defs.AzureKeyVault.Timeout, "Timeout of client calls to Azure Key Vault, in Golang time.Duration string format (e.g. 10s).")
 	flags.Bool("crypto.azurekv.hsm", defs.AzureKeyVault.UseHSM, fmt.Sprintf("Whether to store the key in a hardware security module (HSM). If true, the Azure Key Vault must be configured for HSM usage. Default: %t", defs.AzureKeyVault.UseHSM))
+	flags.String("crypto.azurekv.credential.type", defs.AzureKeyVault.Credential.Type, fmt.Sprintf("Credential type to use when authenticating to the Azure Key Vault. Options: %s, %s (see https://github.com/Azure/azure-sdk-for-go/blob/main/sdk/azidentity/README.md for an explanation of the options).", azure.DefaultChainCredentialType, azure.ManagedIdentityCredentialType))
 	flags.String("crypto.external.address", defs.External.Address, "Address of the external storage service.")
 	flags.Duration("crypto.external.timeout", defs.External.Timeout, "Time-out when invoking the external storage backend, in Golang time.Duration string format (e.g. 1s).")
 

crypto/storage/azure/interface.go

@@ -34,13 +34,24 @@ type Config struct {
 	// UseHSM specifies whether	to store the key in a hardware security module (HSM).
 	// If true, the Azure Key Vault must be configured for HSM usage.
 	UseHSM bool `koanf:"hsm"`
+	// Credential specifies the credential to use for authentication to the Azure Key Vault.
+	Credential CredentialConfig `koanf:"credential"`
+}
+
+// CredentialConfig contains the config options to configure the credential to use for authentication to the Azure Key Vault.
+type CredentialConfig struct {
+	// Type specifies the type of credential to use for authentication to the Azure Key Vault.
+	Type string `koanf:"type"`
 }
 
 // DefaultConfig returns the default configuration for the Azure Key Vault storage backend.
 func DefaultConfig() Config {
 	return Config{
 		Timeout: 10 * time.Second,
 		UseHSM:  false,
+		Credential: CredentialConfig{
+			Type: DefaultChainCredentialType,
+		},
 	}
 }
 

crypto/storage/azure/keyvault.go

@@ -40,13 +40,18 @@ import (
 	"time"
 )
 
+const (
+	DefaultChainCredentialType    string = "default"
+	ManagedIdentityCredentialType string = "managed_identity"
+)
+
 // New creates a new Azure Key Vault storage backend.
 // If useHSM is true, the key type will be azkeys.KeyTypeECHSM, otherwise azkeys.KeyTypeEC.
-func New(keyVaultUrl string, timeout time.Duration, useHSM bool) (spi.Storage, error) {
+func New(keyVaultUrl string, timeout time.Duration, useHSM bool, credentialType string) (spi.Storage, error) {
 	if keyVaultUrl == "" {
 		return nil, errors.New("missing Azure Key Vault URL")
 	}
-	credential, err := azidentity.NewManagedIdentityCredential(nil)
+	credential, err := createCredential(credentialType)
 	if err != nil {
 		return nil, err
 	}
@@ -57,6 +62,17 @@ func New(keyVaultUrl string, timeout time.Duration, useHSM bool) (spi.Storage, e
 	return &keyvault{client: client, timeOut: timeout, useHSM: useHSM}, nil
 }
 
+func createCredential(credentialType string) (azcore.TokenCredential, error) {
+	switch credentialType {
+	case DefaultChainCredentialType:
+		return azidentity.NewDefaultAzureCredential(nil)
+	case ManagedIdentityCredentialType:
+		return azidentity.NewManagedIdentityCredential(nil)
+	default:
+		return nil, fmt.Errorf("unsupported Azure Key Vault credential type: %s", credentialType)
+	}
+}
+
 // StorageType is the name of this storage type, used in health check reports and configuration.
 const StorageType = "azure-keyvault"
 
@@ -71,7 +87,6 @@ func (a keyvault) Name() string {
 }
 
 func (a keyvault) CheckHealth() map[string]core.Health {
-
 	return nil
 }
 

crypto/storage/azure/keyvault_test.go

@@ -297,7 +297,7 @@ func TestIntegrationTest(t *testing.T) {
 	os.Setenv("AZURE_CLIENT_ID", "")
 	os.Setenv("AZURE_CLIENT_SECRET", "")
 
-	store, err := New("https://geheim-keyvault.vault.azure.net/", 10*time.Second, false)
+	store, err := New("https://geheim-keyvault.vault.azure.net/", 10*time.Second, false, DefaultChainCredentialType)
 	assert.NoError(t, err)
 
 	var kid = "did:web:example.com#" + uuid.NewString()