Grey

Azure Managed Service Identities

If you're using Microsoft Azureopen in new window and relying on Azure ADopen in new window for service to service (S2S) authentication then there's a good chance you'll find it useful to leverage Managed Service Identities within Grey.

Managed Service Identitiesopen in new window (MSIs) are an extremely useful means of authenticating a service without the need to manage secrets. You can use MSIs when running Grey on an Azure VM, Container, Kubernetes cluster, or AppService plan by leveraging the !Script execution target as shown below.

Helper Function

The following is a helper function that can help you retrieve an access token for the provided resource within your !Script target.

async function getAccessToken(args = {}) {
    args = Object.assign({}, {
        resource: "https://management.azure.com/",
        api_version: "2021-12-13"
    }, args)

    const queryString = Object.keys(args).map(k => `${k}=${encodeUrlParameter(args[k])}`).join("&")

    const resp = await fetch(`http://169.254.169.254/metadata/identity/oauth2/token?${queryString}`, {
        headers: {
            Metadata: "true"
        }
    })

    if (!resp.ok) {
        throw new Error(`${resp.status} ${resp.statusText}: ${await resp.text()}`)
    }

    const token = await resp.json()

    // NOTE: You can find more details about the properties available here at:
    // https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
    return token.access_token
}

// NOTE: The following is an example of using this helper function

const accessToken = await getAccessToken({
    resource: "https://myapp.example.com/"
})

const resp = await fetch("https://myapp.example.com/api/v1/data", {
    headers: {
        Authorization: `Bearer ${accessToken}`
    }
})

setOutput('http.status_code', resp.status)

if (resp.ok) {
    // Do any content assertions you wish to do here
}