Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

improvement: handle azure workload identity authentication #945

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

improvement: handle azure workload identity authentication #945

wants to merge 3 commits into from

Conversation

abestel
Copy link

@abestel abestel commented Feb 17, 2025

Title:

  • Handle azure workload identity authentication

Description: (optional)
So far the Azure OpenAI integration was handling authentication using Client ID / Client Secret and Managed identity using the IMDS endpoint which is deprecated in favor of Workload Identity (using the public OAuth2 endpoint of Entra ID).

This changeset aims at handling this new authentication type.

Note that this requires reading environment variables set by the Azure runtime onto the virtual machine / pod using a workload identity. It also needs to read a file on disk (containing an assertion to use to exchange against a JWT).

Motivation: (optional)

  • managed identity authentication using IMDS is deprecated and should be replaced by Workload Identity authentication

Related Issues: (optional)
/

abestel
abestel commented Feb 17, 2025
View reviewed changes
@narengogi
Copy link
Collaborator

hey @abestel Since you're using fs, this would work well in nodeJS environment, but not cloudflare workers, but that's fine, let me just test these changes in both the environments and go through the code 👨‍💻

improvement: handle azure workload identity authentication
87e2ff5 
So far the Azure OpenAI integration was handling authentication using Client ID / Client Secret and Managed identity using the IMDS endpoint which is deprecated in favor of Workload Identity (using the public OAuth2 endpoint of Entra ID).

This changeset aims at handling this new authentication type.

Note that this requires reading environment variables set by the Azure runtime onto the virtual machine / pod using a workload identity. It also needs to read a file on disk (containing an assertion to use to exchange against a JWT).
@abestel abestel force-pushed the improvement/azure-workload-identity branch from a76ec2f to 87e2ff5 Compare February 28, 2025 09:05
@abestel
Copy link
Author

abestel commented Feb 28, 2025

Hey @narengogi
FYI, I rebased the branch with the latest version of main because some conflicts appeared. There was no change in the code itself.

@narengogi
Copy link
Collaborator

@abestel We'll test this today

narengogi
narengogi requested changes Feb 28, 2025
View reviewed changes
Copy link
Collaborator

@narengogi narengogi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added minor comment, rest looks good

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@narengogi narengogi narengogi approved these changes

@b4s36t4 b4s36t4 Awaiting requested review from b4s36t4

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@abestel @narengogi