Using the Instance Metadata Service (IMDS) access tokens on Azure.
Set up the .auto.tfvars config:
cp config/template.tfvars .auto.tfvarsGenerate the virtual machine key:
ssh-keygen -f .keys/azureCreate the infrastructure:
terraform init
terraform apply -auto-approveConnect to the instance:
ssh -i .keys/azure azureuser@<ipaddress>Check cloud init:
cloud-init status --waitThe VM will have a System-Assigned Managed Identity created, and permissions are set up to the storage.
Tip
Check the documentation for all endpoints and options.
curl -s -H Metadata:true --noproxy "*" "http://169.254.169.254/metadata/instance?api-version=2023-07-01" | jqNow proceed to acquire a token using the managed identity using curl:
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://stimdscxv891xsdf1d.blob.core.windows.net/' -H Metadata:true -sAuthorize the request with Azure Entra ID.
Call the blob API such as with a Get Blob operation:
curl -X GET -H 'Authorization: Bearer <access_token>' \
-H "x-ms-date: Fri, 22 Dec 2023 16:10:00 GMT" \
-H "x-ms-version: 2023-11-03" \
'https://stimdscxv891xsdf1d.blob.core.windows.net/content/test.txt'If having issues with the token audience, check the token here https://jwt.ms/.
Build and push the image:
cd app
docker build -t azureimds .
bash acrpush.shLog in with the VM identity:
# Must use sudo to login
sudo az login --identity
sudo az acr login --name acrimdsCreate the .env file with the integration variables:
STORAGE_PRIMARY_ENDPOINT="<URL>"
STORAGE_CONTAINER_NAME=contentPull and start the container
sudo docker pull acrimds.azurecr.io/app:latest
sudo docker run -d -p 8080:8080 --env-file .env acrimds.azurecr.io/app:latest Check the container:
curl localhost:8080Test the SDK authentication:
curl localhost:8080/storagedefault
curl localhost:8080/storagemanaged