feat(azure): add OIDC/Workload Identity Federation authentication support#11389
Open
mdoukan wants to merge 1 commit into
Open
feat(azure): add OIDC/Workload Identity Federation authentication support#11389mdoukan wants to merge 1 commit into
mdoukan wants to merge 1 commit into
Conversation
…port Implements Azure provider support for OIDC (Workload Identity Federation) authentication, enabling Prowler to run in security-strict production environments where static client secrets are prohibited. Closes prowler-cloud#11386 Changes: - Add --oidc-auth CLI flag as a new mutually exclusive authentication mode - Add AzureOIDCTokenMissingError exception (code: 2024) for missing env vars - Add check_oidc_creds_env_vars() static method to validate required env vars - Add oidc_auth parameter to __init__, validate_arguments, setup_session, setup_identity and test_connection methods - Use ClientAssertionCredential with a lazy token callback that reads AZURE_FEDERATED_TOKEN (falling back to AZURE_OIDC_TOKEN) at runtime - Identity type reported as 'Service Principal (OIDC)' for OIDC sessions - Add TestAzureProviderOIDCAuth test class with 7 unit tests covering missing env vars, token fallback, successful session setup and test_connection flow Usage: export AZURE_CLIENT_ID="..." export AZURE_TENANT_ID="..." export AZURE_FEDERATED_TOKEN="eyJra..." # or AZURE_OIDC_TOKEN prowler azure --oidc-auth
github-actions
Bot
added
the
provider/azure
Contributor
|
✅ Conflict Markers Resolved All conflict markers have been successfully resolved in this pull request. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
This PR implements Azure OIDC (Workload Identity Federation) authentication support, resolving #11386.
The Azure provider previously only supported static
AZURE_CLIENT_SECRET. In production environments where static secrets are prohibited by security policy, Prowler was unusable. This PR adds a new--oidc-authmode using short-lived JWT tokens.Changes
arguments.py: Add--oidc-authCLI flag as a new mutually exclusive authentication modeexceptions.py: AddAzureOIDCTokenMissingErrorexception (error code2024)azure_provider.py:oidc_authparameter to__init__,validate_arguments,setup_session,setup_identity,test_connectioncheck_oidc_creds_env_vars()static methodClientAssertionCredentialwith a lazy token callback (readsAZURE_FEDERATED_TOKEN, falling back toAZURE_OIDC_TOKEN)Service Principal (OIDC)tests/providers/azure/azure_provider_test.py: AddTestAzureProviderOIDCAuthclass with 7 unit testsUsage
Notes
ClientAssertionCredentialis already part ofazure-identity--sp-env-authmode is unchangedCloses #11386