Azure-sdk-for-go: 'unable to create vault authorizer: environment variable AZURE_AUTH_LOCATION is not set' when calling `NewAuthorizerFromFile`

Created on 17 Nov 2020  路  5Comments  路  Source: Azure/azure-sdk-for-go

I'm trying to authenticate with the NewAuthorizerFromFile function and get the error from the subject.

func main() {

    testString := ` {
            "clientId": "<YOUR CLIENT ID>",
            "clientSecret": "<YOUR CLIENT SECRET>",
            "tenantId": "<YOUR TENNANT ID>"
           }`
    testBytes := []byte(testString)

    file, err := ioutil.TempFile("/tmp", "akv")

    if err != nil {
        log.Fatal(err)
    }

    _, err = file.Write(testBytes)

    if err != nil {
        log.Fatal(err)
    }

    //os.Setenv("AZURE_AUTH_LOCATION", file.Name()) // <-- uncomment this and it'll work!
    _, err = kvauth.NewAuthorizerFromFile(file.Name())

    if err != nil {
        fmt.Printf("unable to create vault authorizer: %v\n", err)
        os.Exit(1)
    }
}
  • github.com/Azure/azure-sdk-for-go/services/keyvault/auth
  • SDK version latest
  • go version go1.15.2 darwin/amd64

Looking at the code I realized that the NewAuthorizerFromFile function gets the baseURI from the file but it's not doing anything with it. If in deed is expected to get the path to the file from an environment variable (AZURE_AUTH_LOCATION), somebody should be setting that environment variable before calling the NewAuthorizerFromFileWithResource. You'll see that the GetSettingsFromFile is throwing the error.

I don't think I should be setting that environment variable in my code before calling NewAuthorizerFromFile (although, that's what I'm doing now).

Attached is a small repro.

Let me know if there's anything else I can provide to help.

repro.go.zip

Client customer-reported question
Source
picture sebagomez
👍1

Most helpful comment

The baseURI parameter is used by the SDK to calculate the underlying resource (management, key vault, etc). Apparently the documentation for this was missed. :( That said, I think this API is pretty bad but we can't really change it now (we'd have to add a new one in parallel). In addition, it really doesn't make any sense to have this param in the key vault auth API as we already know what the underlying resource is.

We do document the requirement for the AZURE_AUTH_LOCATION env var here however I agree it should be part of the APIs documentation.

@ArcturusZhang I will update your v49 release PR with a fix to this API to remove the useless baseURI param.

picture jhendrixMSFT on 30 Nov 2020
👍2

All 5 comments

Hi @sebagomez thanks for this issue!

Actually go SDK internally uses this env variable to find the auth file, see code here: https://github.com/Azure/go-autorest/blob/e85e33a04d242eb0eba5408e4dadf8783047b62f/autorest/azure/auth/auth.go#L294
It is confusing but the parameter of function NewAuthorizerFromFile is baseUri instead of filename, therefore the parameter is not used for populating the auth filepath, you will have to use the env variable to let the SDK know of the file location.
Well, the parameter baseURI is not used anywhere in the function, it is indeed confusing. But I have to say this behaviour is by design of the go SDK internal library go-autorest , and this services/keyvault/auth little package is just providing a simple convenience layer of it.

ArcturusZhang picture ArcturusZhang on 23 Nov 2020

Ok, it is a lot confusing in deed. Don't see the point of expecting a baseUri (which I assumed it was the file path) to be ignored and expect another environment variable, not mentioned anywhere. I chose the NewAuthorizerFromFile function over NewAuthorizerFromEnvironment because I didn't want to use environment variables in my implementation. I don't think there's a point on having two separate functions in that case.

sebagomez picture sebagomez on 24 Nov 2020

@sebagomez yeah, actually the point of these two functions are where the credentials are stored.
Also the package github.com/Azure/azure-sdk-for-go/services/keyvault/auth is a wrapper of useful functions from go-autorest as a convenient layer for data plane keyvault SDK. The parameter of kvauth.NewAuthorizerFromFile might be a mistake...

@jhendrixMSFT any insights?

ArcturusZhang picture ArcturusZhang on 25 Nov 2020

The baseURI parameter is used by the SDK to calculate the underlying resource (management, key vault, etc). Apparently the documentation for this was missed. :( That said, I think this API is pretty bad but we can't really change it now (we'd have to add a new one in parallel). In addition, it really doesn't make any sense to have this param in the key vault auth API as we already know what the underlying resource is.

We do document the requirement for the AZURE_AUTH_LOCATION env var here however I agree it should be part of the APIs documentation.

@ArcturusZhang I will update your v49 release PR with a fix to this API to remove the useless baseURI param.

jhendrixMSFT picture jhendrixMSFT on 30 Nov 2020
👍2

This should now be resolved.

jhendrixMSFT picture jhendrixMSFT on 9 Dec 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

pmcatominey picture pmcatominey  路  3Comments
WodansSon picture WodansSon  路  4Comments
Tirke picture Tirke  路  3Comments
zyzheng picture zyzheng  路  4Comments
CecileRobertMichon picture CecileRobertMichon  路  4Comments