Please release Azure OIDC support

[adeturner]

Welcome

• Yes, I'm using a binary release within 2 latest releases.
• Yes, I've searched similar issues on GitHub and didn't find any.
• Yes, I've included all information below (version, config, etc).

What did you expect to see?

Github actions Azure Federated Identity OIDC authentication is not compatible with the current release of Lego.

It is fixed in #2036 azuredns: allow oidc authentication has been merged but does not seem to be in a release yet

Please can you create release so vancluever/terraform-provider-acme can be updated.

See also vancluever/terraform-provider-acme#352 (comment)

Sorry - probably shouldn't be a bug and the feature has already been added, so guess its more of a request

What did you see instead?

code = Unknown desc = azuredns: DefaultAzureCredential authentication failed

How do you use lego?

Through Terraform ACME provider

Reproduction steps

resource "acme_certificate" "cert" {
  account_key_pem = acme_registration.,mycert[0].account_key_pem
  common_name     = var.myname

  dns_challenge {
    # https://registry.terraform.io/providers/vancluever/acme/latest/docs/guides/dns-providers-azuredns
    provider = "azuredns"
    config = {
      AZURE_AUTH_METHOD         = "oidc"
      AZURE_RESOURCE_GROUP      = var.public_dns_rg
      AZURE_ZONE_NAME           = var.public_dns_zone
      AZURE_CLIENT_ID           = data.azurerm_client_config.current.client_id
      AZURE_SUBSCRIPTION_ID     = data.azurerm_client_config.current.subscription_id
      AZURE_TENANT_ID           = data.azurerm_client_config.current.tenant_id
      AZURE_TTL                 = 300
      AZURE_PROPAGATION_TIMEOUT = 150
    }
  }
}

Version of lego

github.com/go-acme/lego/v4 v4.14.2

Logs

code = Unknown desc = azuredns: DefaultAzureCredential authentication failed

Go environment (if applicable)

n/a

[vancluever]

@ldez it has been quite a bit of time without a release. Can you cut one, unless there's something specific barring it?

Thanks!

[vancluever]

@ldez no worries, sorry to hear that things are not so good for you right now. Take care. This was more of a check-in than anything (I could have made it a bit more obvious, apologies), not urgent on this end at all!

[stmcx]

I have been using this workaround until release. The temporary downside is that you will always see the file resource in the terraform plan diff but it is just cosmetic for me and you will need EppO/environment provider

At least I can get rid of permanent credentials.

terraform {
  required_version = ">= 1.0"
  required_providers {
    # Other providers...
    environment = {
      source  = "EppO/environment"
      version = "1.3.5"
    }
  }
}

data "environment_variables" "all" {}

resource "local_file" "oidc_token" {
  content  = data.environment_variables.all.items["ARM_OIDC_TOKEN"]
  filename = "${path.module}/token.txt"
}

resource "acme_certificate" "certificate" {
  account_key_pem              = var.example_account_key_pem
  common_name                  = var.example_common_name
  subject_alternative_names    = var.example_subject_alternative_names
  disable_complete_propagation = var.example_disable_complete_propagation
  dns_challenge {
    # TODO when released: https://github.com/go-acme/lego/issues/2027
    provider = "azuredns"
    config = {
      AZURE_RESOURCE_GROUP       = var.example_resource_group
      AZURE_AUTH_METHOD          = "oidc"
      AZURE_FEDERATED_TOKEN_FILE = "${path.module}/token.txt"
    }
  }

  depends_on = [local_file.oidc_token]
}

[adeturner]

@stmcx - thanks! wondering how are you getting the value for ARM_OIDC_TOKEN (e.g. from the github action)?

[stmcx]

Terraform Cloud Dynamic Credentials @adeturner

Not sure if the same environment variable is exported on GitHub (by azure/login action for example)

[adeturner]

@stmcx thanks

For anyone else coming across this I found this azure terraform provider-test.yaml

  - name: Set OIDC Token
    run: |
      echo "ARM_OIDC_TOKEN=$(curl -H "Accept: application/json; api-version=2.0" -H "Authorization: Bearer ${ACTIONS_ID_TOKEN_REQUEST_TOKEN}" -H "Content-Type: application/json" -G --data-urlencode "audience=api://AzureADTokenExchange" "${ACTIONS_ID_TOKEN_REQUEST_URL}" | jq -r '.value')" >>${GITHUB_ENV}

[ACTIONS_ID_TOKEN_REQUEST* vars are set in the runner environment]

[ldez]

https://github.com/go-acme/lego/releases/tag/v4.15.0