diff --git a/azure/service.go b/azure/service.go index edd5e5fc..ce46096d 100644 --- a/azure/service.go +++ b/azure/service.go @@ -16,6 +16,7 @@ import ( "github.com/Azure/go-autorest/autorest/azure" "github.com/Azure/go-autorest/autorest/azure/auth" "github.com/Azure/go-autorest/autorest/azure/cli" + "github.com/turbot/go-kit/types" "github.com/turbot/steampipe-plugin-sdk/plugin" ) @@ -40,6 +41,7 @@ type Session struct { */ func GetNewSession(ctx context.Context, d *plugin.QueryData, tokenAudience string) (session *Session, err error) { logger := plugin.Logger(ctx) + cacheKey := "GetNewSession" if cachedData, ok := d.ConnectionManager.Cache.Get(cacheKey); ok { session = cachedData.(*Session) @@ -50,6 +52,8 @@ func GetNewSession(ctx context.Context, d *plugin.QueryData, tokenAudience strin } } + logger.Debug("Auth session not found in cache, creating new session") + var subscriptionID, tenantID string settings := auth.EnvironmentSettings{ Values: map[string]string{}, @@ -113,7 +117,7 @@ func GetNewSession(ctx context.Context, d *plugin.QueryData, tokenAudience strin if azureConfig.Environment != nil { env, err := azure.EnvironmentFromName(*azureConfig.Environment) if err != nil { - logger.Debug("GetNewSession_", "Error getting environment from name with config environment", err) + logger.Error("GetNewSession", "Error getting environment from name with config environment", err) return nil, err } settings.Environment = env @@ -124,7 +128,7 @@ func GetNewSession(ctx context.Context, d *plugin.QueryData, tokenAudience strin if ok { env, err = azure.EnvironmentFromName(envName) if err != nil { - logger.Debug("GetNewSession_", "Error getting environment from name with no config environment", err) + logger.Error("GetNewSession", "Error getting environment from name with no config environment", err) return nil, err } settings.Values[auth.EnvironmentName] = envName @@ -134,28 +138,30 @@ func GetNewSession(ctx context.Context, d *plugin.QueryData, tokenAudience strin authMethod, resource, err := getApplicableAuthorizationDetails(ctx, settings, tokenAudience) if err != nil { - logger.Debug("GetNewSession__", "getApplicableAuthorizationDetails error", err) + logger.Error("GetNewSession", "getApplicableAuthorizationDetails error", err) return nil, err } settings.Values[auth.Resource] = resource var authorizer autorest.Authorizer - var expiresOn time.Time + var expiresOn *time.Time // so if it was not in cache - create session switch authMethod { case "Environment": + logger.Trace("Creating new session authorizer from environment") authorizer, err = settings.GetAuthorizer() if err != nil { - logger.Debug("GetNewSession__", "NewAuthorizerFromEnvironmentWithResource error", err) + logger.Error("GetNewSession", "NewAuthorizerFromEnvironmentWithResource error", err) return nil, err } // Get the subscription ID and tenant ID for "GRAPH" token audience case "CLI": + logger.Trace("Creating new session authorizer from Azure CLI") authorizer, err = auth.NewAuthorizerFromCLIWithResource(resource) if err != nil { - logger.Debug("GetNewSession__", "NewAuthorizerFromCLIWithResource error", err) + logger.Error("GetNewSession", "NewAuthorizerFromCLIWithResource error", err) // Check if the password was changed and the session token is stored in // the system, or if the CLI is outdated @@ -165,16 +171,17 @@ func GetNewSession(ctx context.Context, d *plugin.QueryData, tokenAudience strin return nil, err } default: + logger.Trace("Getting token for authorizer from Azure CLI") token, err := cli.GetTokenFromCLI(resource) if err != nil { return nil, err } adalToken, err := token.ToADALToken() - expiresOn = adalToken.Expires() + expiresOn = types.Time(adalToken.Expires()) if err != nil { - logger.Debug("GetNewSession__", "NewAuthorizerFromCLIWithResource error", err) + logger.Error("GetNewSession", "Get token from Azure CLI error", err) // Check if the password was changed and the session token is stored in // the system, or if the CLI is outdated @@ -186,24 +193,29 @@ func GetNewSession(ctx context.Context, d *plugin.QueryData, tokenAudience strin authorizer = autorest.NewBearerAuthorizer(&adalToken) } - if authMethod == "CLI" { + // Get the subscription ID and tenant ID from CLI if not set in connection + // config or environment variables + if authMethod == "CLI" && (settings.Values[auth.SubscriptionID] == "" || settings.Values[auth.TenantID] == "") { + logger.Trace("Getting subscription ID and/or tenant ID from from Azure CLI") subscription, err := getSubscriptionFromCLI(resource) if err != nil { - logger.Debug("GetNewSession__", "getSubscriptionFromCLI error", err) + logger.Error("GetNewSession", "getSubscriptionFromCLI error", err) return nil, err } tenantID = subscription.TenantID - // If "AZURE_SUBSCRIPTION_ID" is set then it will take precedence over the subscription set in the CLI + // Subscription ID set in config file or environment variable takes + // precedence over the subscription ID set in the CLI if subscriptionID == "" { subscriptionID = subscription.SubscriptionID + logger.Trace("Setting subscription ID from Azure CLI", "subscription_id", subscriptionID) } } sess := &Session{ Authorizer: authorizer, CloudEnvironment: settings.Environment.Name, - Expires: &expiresOn, + Expires: expiresOn, GraphEndpoint: settings.Environment.GraphEndpoint, ResourceManagerEndpoint: settings.Environment.ResourceManagerEndpoint, StorageEndpointSuffix: settings.Environment.StorageEndpointSuffix, @@ -211,13 +223,17 @@ func GetNewSession(ctx context.Context, d *plugin.QueryData, tokenAudience strin TenantID: tenantID, } - if sess.Expires != nil { - d.ConnectionManager.Cache.SetWithTTL(cacheKey, sess, time.Until(*sess.Expires)) + var expireMins time.Duration + if expiresOn != nil { + expireMins = time.Until(*sess.Expires) } else { // Cache for 55 minutes to avoid expiry issue - d.ConnectionManager.Cache.SetWithTTL(cacheKey, sess, time.Minute*55) + expireMins = time.Minute * 55 } + logger.Debug("Session saved in cache", "expiration_time", expireMins) + d.ConnectionManager.Cache.SetWithTTL(cacheKey, sess, expireMins) + return sess, err } @@ -238,7 +254,7 @@ func getApplicableAuthorizationDetails(ctx context.Context, settings auth.Enviro authMethod = "Environment" } - logger.Trace("getApplicableAuthorizationDetails_", "Auth Method: ", authMethod) + logger.Debug("getApplicableAuthorizationDetails", "auth_method", authMethod) var environment azure.Environment // Get the environment endpoint to be used for authorization @@ -247,13 +263,13 @@ func getApplicableAuthorizationDetails(ctx context.Context, settings auth.Enviro } else { environment, err = azure.EnvironmentFromName(environmentName) if err != nil { - logger.Error("Unable to get azure environment", "ERROR", err) + logger.Error("getApplicableAuthorizationDetails", "get_environment_name_error", err) return } settings.Environment = environment } - logger.Trace("getApplicableAuthorizationDetails_", "tokenAudience: ", tokenAudience) + logger.Debug("getApplicableAuthorizationDetails", "token_audience", tokenAudience) switch tokenAudience { case "GRAPH": @@ -266,7 +282,7 @@ func getApplicableAuthorizationDetails(ctx context.Context, settings auth.Enviro resource = settings.Environment.ResourceManagerEndpoint } - logger.Trace("getApplicableAuthorizationDetails_", "resource: ", resource) + logger.Debug("getApplicableAuthorizationDetails", "resource", resource) return } diff --git a/docs/index.md b/docs/index.md index 67692c67..ae7eefd8 100644 --- a/docs/index.md +++ b/docs/index.md @@ -61,7 +61,7 @@ steampipe plugin install azure | Credentials | Use the `az login` command to setup your [Azure Default Connection](https://docs.microsoft.com/en-us/cli/azure/authenticate-azure-cli). | | Permissions | Grant the `Global Reader` permission to your user. | | Radius | Each connection represents a single Azure Subscription. | -| Resolution | 1. Credentials explicitly set in a steampipe config file (`~/.steampipe/config/azuread.spc`).
2. Credentials specified in [environment variables](#credentials-from-environment-variables), e.g., `AZURE_SUBSCRIPTION_ID`. | +| Resolution | 1. Credentials explicitly set in a steampipe config file (`~/.steampipe/config/azure.spc`).
2. Credentials specified in [environment variables](#credentials-from-environment-variables), e.g., `AZURE_SUBSCRIPTION_ID`. | ### Configuration @@ -197,7 +197,7 @@ Steampipe works with managed identities (formerly known as Managed Service Ident ```hcl connection "azure_msi" { - plugin = "azuread" + plugin = "azure" tenant_id = "00000000-0000-0000-0000-000000000000" client_id = "00000000-0000-0000-0000-000000000000" subscription_id = "00000000-0000-0000-0000-000000000000"