Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request] Support setting key-values/feature flags in ARM/Bicep template with data-plane RBAC #692

Open
markbeij opened this issue Nov 17, 2022 · 26 comments
Assignees
Labels
enhancement New feature or request service Issues related to the AppConfig service

Comments

@markbeij
Copy link

Adding values to an App Configuration Store apperently requires Access Keys to be enabled. Otherwise I get the error message "The operation cannot be performed because it requires local authentication to be enabled".

We don't want to enable this since we prefer to only grant access for AAD identities so we have audit trails.

Deployments of values should be possible without enabling local authentication (access keys)
Not sure if this is a bug or a feature request though..

resource configStoreFeatureflag 'Microsoft.AppConfiguration/configurationStores/keyValues@2022-05-01' = [for ff in featureFlags : {
  parent: configStore  
  name: '.appconfig.featureflag~2F${ff.id}'
  properties: {
    value: string(ff)
    contentType: 'application/vnd.microsoft.appconfig.ff+json;charset=utf-8'
  }
}]
@jimmyca15 jimmyca15 added the enhancement New feature or request label Nov 28, 2022
@jimmyca15
Copy link
Member

This would be a feature request. It's not possible to do this with existing RBAC of Azure App Configuration today. This doc has details.

@zhenlan zhenlan added the service Issues related to the AppConfig service label Nov 28, 2022
@jimmyca15 jimmyca15 changed the title Adding feature flags via bicep gets me: "The operation cannot be performed because it requires local authentication to be enabled" [Feature Request] Support setting key-values/feature flags in ARM/Bicep template Dec 2, 2022
@libravado
Copy link

libravado commented Dec 15, 2022

(Rightly or wrongly) I have been able to workaround this exact issue; to still achieve the level of automation I require...
In my github pipeline , (I was already setup to kick off my bicep deployment which involved az login using my scm's service principal). So I just added another step after bicep deployment has completed, to call:

az appconfig kv set -n APPCONFIG_RESOURCE_NAME --key color --value blue --auth-mode login --yes

NB: The service principal is a member of an AD group that has Owner access in app config
I'm fairly sure that az appconfig feature ... will work equally well.

Couple of annoying side effects:

  • It means I may have to output values from bicep (which is not how I'd ideally like it to work, it unnecessarily exposes values to the pipeline)
  • I dont like the idea that this means my scm principal can read App Config too. Ideally there'd by a write-only role :/

@zhenlan zhenlan changed the title [Feature Request] Support setting key-values/feature flags in ARM/Bicep template [Feature Request] Support setting key-values/feature flags in ARM/Bicep template with data-plane RBAC May 17, 2023
@sommkh
Copy link

sommkh commented Dec 7, 2023

Seems like a workaround that I had to find recently was injecting config app key values through powershell -

Set-AzAppConfigurationKeyValue -Endpoint $endpoint -Key $key -Value $value -Label $label -ContentType $contentType

It works without having to enable the local authentication after the resource is deployed. Works for both key-vale and key-vault reference. Not the cleanest workaround but at least it works. I saved the key value pairs in a config.json and read the values from there and injected into the app config through that command.

the az appconfig kv works as long as it is a key-value pair. If its a key vault reference, it needs to enable the access keys again at least for me.

@zhenlan
Copy link
Contributor

zhenlan commented Dec 8, 2023

the az appconfig kv works as long as it is a key-value pair. If its a key vault reference, it needs to enable the access keys again at least for me.

This is not expected. Can you please share an example of the az appconfig kv command that doesn't work for you for key vault references? Please make sure you pass --auth-mode login to the command and you are granted the App Configuration Data Owner role on the target App Configuration store.

@AndreasKahlroth
Copy link

Any progress on this issue yet?

@dozer75
Copy link

dozer75 commented Mar 12, 2024

This would be a feature request. It's not possible to do this with existing RBAC of Azure App Configuration today. This doc has details.

It's funny that Microsofts employees (or contributors) states that things should be "feature requests" on issues that is caused by using the recommended usage by Microsoft. I quote from the same page:

Of these two types of authentication schemes, Microsoft Entra ID provides superior security and ease of use over access keys, and is recommended by Microsoft.

So this offers "ease of access", but is it "ease of access" when we can't deploy using scripts using RBAC?

This is not the first time Microsoft promotes RBAC, but has lousy support for it in various deployment tools forcing the users to still have access key based authentication active.

Would really like that this "feature request" could be solved soon as it is a quite big dealbreaker using script based deployments in secure environments.

@jimmyca15
Copy link
Member

jimmyca15 commented Mar 12, 2024

We just released the solution to this issue in a preview version of the Azure App Configuration stores API.

Docs are in the works!

What does it do?

There is now a setting on your configuration store that can be configured to enable data plane RBAC when deploying key-values via ARM templates. Assuming this setting is configured there are a few points to be considered.

  • Access keys being disabled will no longer affect the deployment
  • The user running the deployment MUST have appropriate data plane roles for the action they are performing (read/write)
    • Reference
    • This is on top of the already existing requirement to be a contributor on the configuration store resource.
  • Audit logs will now appropriately contain deploying identity, rather than access key.

How to enable?

This preview API just rolled out so docs + UI + CLI support is still in progress. To enable it at this point in time, the configuration store management API would need to be used directly. The property is documented here. The appropriate configuration to achieve what I discussed here would be

API version: 2023-08-01-preview

{
    "properties": {
        "dataPlaneProxy": {
            "authenticationMode": "Pass-through"
        }
    }
}

API spec example

@vRune4
Copy link

vRune4 commented Mar 14, 2024

The appropriate configuration to achieve what I discussed here would be

I assume "would be" means "soon"? (it didn't work an hour ago when I tested)

@hahahahahaiyiwen
Copy link
Member

There is an issue detected on our side that blocks this feature for some customers at the moment. We are working on a fix and the ETA is by end of next week (03/22).

@jimmyca15
Copy link
Member

@vRune4 "would be" did mean "now". If the attempt failed due to a server error then you are most likely affected by the issue that @hahahahahaiyiwen mentioned. If it failed due to some client error, such as 'invalid property', then let us know because that would be different.

@dozer75
Copy link

dozer75 commented Mar 15, 2024

I also tried this using Bicep similar to the configuration below (our scripts are more complex, so this is just a boiler template of it after extracting it):

resource appCS 'Microsoft.AppConfiguration/configurationStores@2023-08-01-preview' = {
  name: name
  location: 'westeurope'
  sku: {
    name: 'Standard'
  }
  identity: {
    type: 'UserAssigned'
    userAssignedIdentities: {
      '${managedIdentity.id}': {}
    }
  }
  properties: {
    disableLocalAuth: true
    createMode: 'Default'
    softDeleteRetentionInDays: 7
    publicNetworkAccess: 'Disabled'
    dataPlaneProxy: {
      authenticationMode: 'Pass-through'
      privateLinkDelegation: 'Enabled'
    }
  }
}

resource ownerRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = {
  name: guid(resourceGroup().id, appCS.name, '<executing user id>', '<App configuration Data owner role id>')
  scope: appCS 
  properties: {
    principalId: '<executing user id>'
    principalType: 'User'
    roleDefinitionId: '<App configuration Data owner role id>'
  }
}

resource kv 'Microsoft.AppConfiguration/configurationStores/keyValues@2023-08-01-preview' = {
  name: 'TEST-Key'
  parent: appCS
  properties: {
    value: 'MOO'
  }
  dependsOn: [
    ownerRoleAssignment 
  ]
}

But it failed with the following error:

{
    "status": "Failed",
    "error": {
        "code": "InternalServerError",
        "message": "Cannot serve the request. Please retry.",
        "additionalInfo": [
            {
                "type": "ActivityId",
                "info": {
                    "activityId": "<GUID>"
                }
            }
        ]
    }
}

Important to note: We're using private endpoint here (That's why I used the privateLinkDelegation: 'Enabled' setting) . The deployer are on the same vnet as the private endpoint and the deployer do have access to the app configuration service using the private endpoint.

@jimmyca15
Copy link
Member

@dozer75

That is the issue that Haiyi mentioned here.

@jimmyca15
Copy link
Member

jimmyca15 commented Mar 15, 2024

@dozer75

Important to note: We're using private endpoint here (That's why I used the privateLinkDelegation: 'Enabled' setting) . The deployer are on the same vnet as the private endpoint and the deployer do have access to the app configuration service using the private endpoint.

If the configuration store is locked down to a private endpoint, then you will need to have ARM private endpoint enabled on the subscription you are deploying to (docs in the works). Do you have this setup set up?

@dozer75
Copy link

dozer75 commented Mar 15, 2024

@jimmyca15

That is the issue that Haiyi mentioned here.

Ok... So it is the same then (it was a bit unclear since you wrote invalid property and I got InternalServerError), but we'll wait and see when the fix is deployed!

If the configuration store is locked down to a private endpoint, then you will need to have [ARM private endpoint]
(https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/create-private-link-access-portal) enabled
on the subscription you are deploying to (docs in the works). Do you have this setup set up?

No, I didn't know, thanks for notifying me and I'll look at this when the other issue has been solved!

@hahahahahaiyiwen
Copy link
Member

@dozer75 @vRune4 The fix has been deployed and the issue should be resolved now. Please give it a try and let us know if you have any questions!

@dozer75
Copy link

dozer75 commented Mar 28, 2024

@hahahahahaiyiwen Sure, will take a look at it.

However, I read through the link you sent two weeks ago around the ARM private endpoint setup. But the problem with that is that it requires that things are done in the root management group which are impossible for me in this assignment to do as the owner denies any change outside of the subscription (which I find totally logic, but unfortunately not those who designed that functionality). I know that this isn't your doing with the private link for managing azure resources limits, but that is a blocker anyway for us to do this so I'll probably look at alternatives to do the configuration additions...

@hahahahahaiyiwen
Copy link
Member

@dozer75 I think supporting private endpoint setup at a more granular level is in the roadmap of ARM. You may want to reach out to them to understand more about the timeline.

@dozer75
Copy link

dozer75 commented Mar 28, 2024

@dozer75 I think supporting private endpoint setup at a more granular level is in the roadmap of ARM. You may want to reach out to them to understand more about the timeline.

I suspect that, but have a hard time find where to look :/

@hahahahahaiyiwen
Copy link
Member

@dozer75 Unfortunately there is no public documentation about it. I asked internally, and ARM doesn't have an exact timeline. They suggest submitting a feature request in Azure Resource Manager Community.

@hahahahahaiyiwen
Copy link
Member

Documentation and Azure portal UI support are now available 🥳🥳

@dozer75
Copy link

dozer75 commented Jun 8, 2024

@dozer75 Unfortunately there is no public documentation about it. I asked internally, and ARM doesn't have an exact timeline. They suggest submitting a feature request in Azure Resource Manager Community.

A bit delayed due to other assignments, but here is the posted idea.

@benjaminsampica
Copy link

benjaminsampica commented Dec 14, 2024

Does anyone have a working example of this? I cannot seem to get this working with a service principal that has the ability to create the resource, all the Microsoft.ConfigurationStores/* permissions, and I’ve enabled pass-through. I’m getting 403 Forbidden still.

resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2024-05-01' = {
  name: accountingAppConfigurationName
  location: location
  tags: tags
  sku: {
    name: 'Standard'
  }
  properties: {
    publicNetworkAccess: 'Disabled'
    dataPlaneProxy: {
      privateLinkDelegation: 'Enabled'
      authenticationMode: 'Pass-through'
    }
  }

  resource keyValue 'keyValues' = [
    for keyValue in items(appConfigurationKeyValues): {
      name: keyValue.key
      properties: {
        value: keyValue.value
      }
    }
  ]
}

What am I missing?

@zhenlan
Copy link
Contributor

zhenlan commented Dec 14, 2024

Hi @benjaminsampica is it intentional you disabled public network access? If yes, I assume you have enabled private endpoints on your App Configuration store. In this case, have you set up Azure Resource Management (ARM) private link? Please refer to the following document:

https://learn.microsoft.com/en-us/azure/azure-app-configuration/quickstart-deployment-overview?tabs=portal#private-network-access

@benjaminsampica
Copy link

@zhenlan thanks for responding. I believe I have this setup as well. See attached.

Image
Image

@zhenlan
Copy link
Contributor

zhenlan commented Dec 14, 2024

Hi @benjaminsampica, yes, I can see you checked the box "Enable Azure Resource Manager Private Network Access". You also need to create an Azure Resource Manager (ARM) Private Link for your subscription so your traffic will actually go through Azure Resource Manager Private Network. Just checking the box alone won't work. Because your ARM template requests don't go through the private endpoint you created for your App Configuration store, this checkbox is only a confirmation that you allow the traffic from a different private link (the ARM private link) to your store. Can you confirm you have set up the ARM private link?

@benjaminsampica
Copy link

benjaminsampica commented Dec 14, 2024 via email

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request service Issues related to the AppConfig service
Projects
Development

No branches or pull requests

10 participants