Talaria panic to auth Azure when runs on AWS

[atlas-comstock]

Talaria panic to auth Azure when runs on AWS

Background

169.254.169.254 is a magic IP(Link-local address) used by most cloud services (AWS & Azure) for metadata.

This line of code introduced in the latest MR will set the URL http://169.254.169.254/metadata/identity/oauth2/token to get the metadata and send HTTP requests when refreshing. The Azure library did this.

However, when you run the Talaria on AWS, there is no such URL/info provided by it; it will be a timeout as there is no route.

Propose

Skip the auth here when Talaria is not running on Azure; directly uses the Env to auth.

[ocassetti]

Could you share the stack trace because in theory adal.NewServicePrincipalTokenFromManagedIdentity should return and error and then it should use the env credentials

[atlas-comstock]

Here is the log. @ocassetti
NewServicePrincipalTokenFromManagedIdentity just init the options and does not actually request the HTTP endpoint, therefore the error was not raised there. Instead, it raised at the refresh stage.

2022/05/04 09:31:48 azure: acquired Manange Identity Credentials
panic: ServerError: target=storage/writer/azure/azure.go.107, reason=Internal Server Error, msg=azure: unable to get azure storage credential due to adal: Refresh request failed. Status Code = '404'. Response body: <?xml version="1.0" encoding="iso-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
        "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
 <head>
  <title>404 - Not Found</title>
 </head>
 <body>
  <h1>404 - Not Found</h1>
 </body>
</html>
 Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fstorage.azure.com%2F

[kelindar]

It is trying to hit Azure instance metadata from AWS? Looks like this cannot work

[atlas-comstock]

@kelindar Yes, it can't work, of course. Therefore we should skip this logic and use ENV setting as auth for Talaria not on Azure.

[ocassetti]

But NewServicePrincipalTokenFromManagedIdentity should return an error then we check for engiroment credentials... that's the logic...

[atlas-comstock]

@ocassetti hi, you can check the implementation of NewServicePrincipalTokenFromManagedIdentity, it just inits the options and does not actually request the HTTP endpoint, therefore the error was not raised there. Instead, it raised at the refresh stage.

[ocassetti]

Oh I see, then I guess we need to check if the env variable are set then we use the environment otherwise we use the principal

[atlas-comstock]

Good idea, better than skipping on other cloud services.