azure

package
v1.206.1 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 13, 2026 License: Apache-2.0 Imports: 19 Imported by: 0

Documentation

Index

Constants

View Source 
const (
	// AzurePortalURL is the Azure Portal base URL.
	AzurePortalURL = "https://portal.azure.com/"

	// AzureDefaultSessionDuration is the default session duration (Azure tokens are typically valid for 1 hour).
	AzureDefaultSessionDuration = 1 * time.Hour
)
View Source 
const (
	// DirPermissions is the permission mode for Azure cache directories (owner read/write/execute only).
	DirPermissions = 0o700
	// FilePermissions is the permission mode for Azure credential files (owner read/write only).
	FilePermissions = 0o600
)

File permissions.

View Source 
const (
	// BomMarker is the first byte of UTF-8 BOM.
	BomMarker = 0xEF
	// BomSecondByte is the second byte of UTF-8 BOM.
	BomSecondByte = 0xBB
	// BomThirdByte is the third byte of UTF-8 BOM.
	BomThirdByte = 0xBF
)

BOM (Byte Order Mark) constants for UTF-8.

View Source 
const (
	FieldHomeAccountID = "home_account_id"
	FieldEnvironment   = "environment"
	FieldRealm         = "realm"
	FieldUsername      = "username"
	FieldLocalID       = "local_account_id"
	FieldAccessToken   = "AccessToken"
	FieldUser          = "user"
)

MSAL cache field names used in azureProfile.json and MSAL cache. Exported for use by device_code_cache.go.

View Source 
const (
	IntFormat      = "%d" // Format string for integer output.
	StrconvDecimal = 10   // Decimal base for string conversion.
	Int64BitSize   = 64   // Bit size for int64 conversion.
)

String format and conversion constants.

View Source 
const (
	LogFieldIdentity     = "identity"     // Log field for identity name.
	LogFieldSubscription = "subscription" // Log field for subscription ID.
	LogFieldTenantID     = "tenantID"     // Log field for tenant ID.
	LogFieldExpiresOn    = "expiresOn"    // Log field for token expiration.
	LogFieldKey          = "key"          // Log field for cache key.
)

Logging field names.

View Source 
const (
	PermissionRWX = 0o700
	PermissionRW  = 0o600
)

Variables

View Source 
var (
	ErrGetHomeDir                    = errors.New("failed to get home directory")
	ErrCreateCredentialsFile         = errors.New("failed to create credentials file")
	ErrLoadCredentialsFile           = errors.New("failed to load credentials file")
	ErrWriteCredentialsFile          = errors.New("failed to write credentials file")
	ErrSetCredentialsFilePermissions = errors.New("failed to set credentials file permissions")
	ErrCleanupAzureFiles             = errors.New("failed to cleanup Azure files")
	ErrFileLockTimeout               = errors.New("failed to acquire file lock within timeout")
	ErrRemoveProfile                 = errors.New("failed to remove profile")
)

Functions

func AcquireFileLock 

func AcquireFileLock(lockPath string) (*flock.Flock, error)

AcquireFileLock attempts to acquire an exclusive file lock with timeout and retries. Exported for use by provider-side code (device_code_cache.go).

func NewMSALCache 

func NewMSALCache(cachePath string, realm string) (cache.ExportReplace, error)

NewMSALCache creates a new MSAL cache instance. If cachePath is empty, uses the default Azure CLI location (~/.azure/atmos/{realm}/msal_token_cache.json). The realm parameter provides credential isolation between different repositories.

func PrepareEnvironment 

func PrepareEnvironment(cfg PrepareEnvironmentConfig) map[string]string

PrepareEnvironment configures environment variables for Azure SDK when using Atmos auth.

This function:

  1. Clears direct Azure credential env vars to prevent conflicts with Atmos-managed credentials
  2. Sets AZURE_SUBSCRIPTION_ID, AZURE_TENANT_ID, AZURE_LOCATION
  3. Sets ARM_* variables for Terraform provider compatibility
  4. Sets ARM_USE_CLI=true (for CLI/device-code auth) or ARM_USE_OIDC=true (for OIDC auth)

For OIDC authentication (service principal with federated credentials), it sets:

  • ARM_USE_OIDC=true
  • ARM_CLIENT_ID
  • AZURE_FEDERATED_TOKEN_FILE (if token file path is provided)

For CLI/device-code authentication, it sets ARM_USE_CLI=true which tells Terraform to use the MSAL cache populated by Atmos.

Note: Other cloud provider credentials (AWS, GCP) are NOT cleared to support multi-cloud scenarios such as using S3 backend for Terraform state while deploying to Azure.

Returns a NEW map with modifications - does not mutate the input.

func ResolveDestination 

func ResolveDestination(dest string, azureCreds *types.AzureCredentials) (string, error)

ResolveDestination resolves destination aliases to full Azure Portal URLs.

Supports the following destination formats:

  • Empty string or "home" → Tenant home page
  • "subscription" → Subscription overview
  • "resourcegroups" or "rg" → Resource groups blade
  • "vm" or "virtualmachines" → Virtual Machines blade
  • "storage" or "storageaccounts" → Storage Accounts blade
  • "network" or "vnet" → Virtual Networks blade
  • "cosmosdb" → Cosmos DB blade
  • "sql" → SQL Databases blade
  • "keyvault" → Key Vaults blade
  • "monitor" → Azure Monitor blade
  • Full URL starting with https:// → Pass through unchanged

All resolved URLs include tenant context for proper navigation.

func SetAuthContext 

func SetAuthContext(params *SetAuthContextParams) error

SetAuthContext populates the Azure auth context with Atmos-managed credential paths. This enables in-process Azure SDK calls to use Atmos-managed credentials.

func SetEnvironmentVariables 

func SetEnvironmentVariables(authContext *schema.AuthContext, stackInfo *schema.ConfigAndStacksInfo) error

SetEnvironmentVariables derives Azure environment variables from AuthContext. This populates ComponentEnvSection/ComponentEnvList for spawned processes. The auth context is the single source of truth; this function derives from it.

Uses PrepareEnvironment helper to ensure consistent environment setup across all commands. This clears conflicting credential env vars and sets Azure subscription/tenant/location.

Parameters:

  • authContext: Runtime auth context containing Azure credentials
  • stackInfo: Stack configuration to populate with environment variables

func SetupFiles 

func SetupFiles(providerName, identityName string, creds types.ICredentials, basePath string, realm string) error

SetupFiles sets up Azure credentials files for the given identity. BasePath specifies the base directory for Azure files (from provider's files.base_path). If empty, uses the default ~/.azure/atmos/{realm} path. The realm parameter provides credential isolation between different repositories.

func UpdateAzureCLIFiles 

func UpdateAzureCLIFiles(creds types.ICredentials, tenantID, subscriptionID string) error

UpdateAzureCLIFiles updates Azure CLI files (MSAL cache and azureProfile.json) so Terraform providers can use them. This makes Atmos authentication work exactly like `az login`. This should be called from PostAuthenticate to ensure CLI compatibility.

func UpdateSubscriptionsInProfile 

func UpdateSubscriptionsInProfile(profile map[string]interface{}, username, tenantID, subscriptionID string, isServicePrincipal bool) []interface{}

UpdateSubscriptionsInProfile updates the subscriptions array in an Azure profile. It sets the specified subscription as default and marks all others as not default.

Types

type AzureFileManager 

type AzureFileManager struct {
	// contains filtered or unexported fields
}

AzureFileManager provides helpers to manage Azure credentials files.

func NewAzureFileManager 

func NewAzureFileManager(basePath string, realm string) (*AzureFileManager, error)

NewAzureFileManager creates a new Azure file manager. If basePath is empty, uses default ~/.azure/atmos/{realm} path. The realm parameter provides credential isolation between different repositories.

func (*AzureFileManager) Cleanup 

func (m *AzureFileManager) Cleanup(providerName string) error

Cleanup removes Azure files for the given provider.

func (*AzureFileManager) CredentialsExist 

func (m *AzureFileManager) CredentialsExist(providerName string) bool

CredentialsExist checks if credentials file exists for the given provider.

func (*AzureFileManager) GetCredentialsPath 

func (m *AzureFileManager) GetCredentialsPath(providerName string) string

GetCredentialsPath returns the path to the credentials file for the given provider.

func (*AzureFileManager) LoadCredentials 

func (m *AzureFileManager) LoadCredentials(providerName string) (*types.AzureCredentials, error)

LoadCredentials loads Azure credentials from a JSON file.

func (*AzureFileManager) WriteCredentials 

func (m *AzureFileManager) WriteCredentials(providerName, identityName string, creds *types.AzureCredentials) error

WriteCredentials writes Azure credentials to a JSON file.

type ConsoleURLGenerator 

type ConsoleURLGenerator struct{}

ConsoleURLGenerator generates Azure Portal URLs with authentication context.

func NewConsoleURLGenerator 

func NewConsoleURLGenerator() *ConsoleURLGenerator

NewConsoleURLGenerator creates a new ConsoleURLGenerator.

func (*ConsoleURLGenerator) GetConsoleURL 

func (g *ConsoleURLGenerator) GetConsoleURL(ctx context.Context, creds types.ICredentials, options types.ConsoleURLOptions) (string, time.Duration, error)

GetConsoleURL generates an Azure Portal sign-in URL with authentication context.

Azure Portal URLs support deep linking with tenant context:

Unlike AWS federation (which requires a signin token), Azure Portal authentication uses browser-based OAuth with the same credentials used to access Azure APIs. The Portal will automatically pick up the user's authenticated session.

References:

func (*ConsoleURLGenerator) SupportsConsoleAccess 

func (g *ConsoleURLGenerator) SupportsConsoleAccess() bool

SupportsConsoleAccess returns true (Azure Console URL generator supports console access).

type PrepareEnvironmentConfig 

type PrepareEnvironmentConfig struct {
	Environ        map[string]string // Current environment variables
	SubscriptionID string            // Azure subscription ID
	TenantID       string            // Azure tenant ID
	Location       string            // Azure location/region (optional)
	// OIDC-specific configuration for Terraform ARM_USE_OIDC support.
	UseOIDC       bool   // Use OIDC instead of CLI authentication
	ClientID      string // Azure AD application (client) ID
	TokenFilePath string // Path to OIDC token file (optional)
}

PrepareEnvironmentConfig holds configuration for Azure environment preparation.

type SetAuthContextParams 

type SetAuthContextParams struct {
	AuthContext  *schema.AuthContext
	StackInfo    *schema.ConfigAndStacksInfo
	ProviderName string
	IdentityName string
	Credentials  types.ICredentials
	BasePath     string
	Realm        string
}

SetAuthContextParams contains parameters for SetAuthContext.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.