azure: support setting AZURE_AUTH_MODE about sops-nix HOT 10 CLOSED

If it can be expressed with environment variables it can be put here:

https://github.com/Mic92/sops-nix/blob/master/modules/sops/default.nix#L160

and exposed with module options.

from sops-nix.

It seems like this does not require that many changes in my module itself. However before advertising azure support for sops-nix I would like to have some documentation about how to set this all up.

from sops-nix.

If possible I would prefer explicit options since its more user friendly. Because than nixos modules could perform validations and also document how things are supposed to use.

from sops-nix.

But I assume for the first boot it would also need some sort of login to get AZURE_CLIENT_SECRET?

from sops-nix.

@Mic92 Ack on explicit options. For what it's worth, I think sops should modify their Azure code so that msi mode is always tried so this becomes unnecessary, but I've already filed an issue to discuss.

@Mic92 re AZURE_CLIENT_SECRET: it will be somewhat deployment dependent, but the demo I'm building uses Azure Managed Identity. In Azure, you can create an "Identity" as an explicit resource. Think of it as a user. This identity will have access to the KeyVault and the identity will be assigned to the VMs at creation. Applications running on the VM can then retrieve OAuth tokens for that assigned identity from inside the VM by accessing a VM-private HTTP service. (Thereby sops will then be able to pull the key, etc)

Thus, the user doesn't have to manage getting any credentials into the VM. (CLIENT_ID, CLIENT_SECRET are more traditional but a headache for reasons you can imagine).

from sops-nix.

I'm building out a full standalone demo that shows how to use flakes, sops-nix and something else I'm working on. It includes a full e2e demo, I'm just building it as I go through the steps myself. I do need to ask some questions. I'll pose some here, let me know if it's okay to ping your on #nixos or something.

First and foremost, where should I be seeing logs when I ssh into this box?

from sops-nix.

Disregard the last question- the logs are visible in stage-2-init in dmesg. I've opened a new issue.

from sops-nix.

@colemickens I know it's been a while since you created the issue but it would be very kind if you could try it out now. We have introduced support for arbitrary environment variables and knowing that Azure works (maybe even with a small section in the README on how to properly use it) would be great for this project

from sops-nix.

My grandfathered MSDN sub was finally (understandably) "cleaned up" and thus I've stopped doing work on Azure for free.

The only real requisites for this scenario are:

1. is that the machine was provisioned with Managed Service Identities with access to relevant KV unlocking keys
2. the user sets AZURE_AUTH_MODE for the Go SDK inside sops to do the right thing

It's actually even possible that this scenario just works (aka step 2 is unnecessary) if the Go SDK team got the SDK finally working in a way that was suggested to Azure SDK teams 6+ years ago... and if sops-nix upgraded to it. But again, loose ends for someone else at this point.

from sops-nix.

Thank you for your feedback, maybe someone else who pays for Azure anyway will get back at it :)

from sops-nix.