This provider configuration does not come with the official Microsoft Azure agent but adds its own lightweight tools for basic cloud integration. Those tools allow you to build simple scripts that can work with all the metadata of the virtual machine. There are helpers that give you easy access to the Azure APIs via managed identities as well as simple commands to retrieve secrets and credentials from Azure Keyvault. On top of those tools, this provider configuration also comes with an Azure AD native SSH login integration that leverages your Azure AD SSO for user access.
The login_-aad tool provides Azure AD SSO integration for your OpenBSD users.
To use it, you can use the example configurations from providers/azure/native/etc/examples.
The /etc/login_-aad contains the basic Azure AD configuration about the tenant ID as well as the App Registration's client ID to use for the device code login.
The /etc/login.conf will need to allow the -aad mechanism and probably even forbid any other. The example login.conf has a comment about it.
The /etc/ssh/sshd_config then has to disable traditional public-key and password authentication and switch to bsdauth to use the OpenBSD native login mechanism. You can also find an example configuration file in the directory.
get-identity-token-for <resource-id> [client-id]
Prints a token that is generated by the instance identity API to be used for the specific resource-id
This can be used to call other Azure APIs with the token of an attached managed identity of the VM.
An exemplary resource-id would be https://vault.azure.net in order to get a token with wich you can access an Azure Keyvault.
If you use multiple managed identities on the VM, you can specify client-id explicitly.
get-secret-from <vault-name> <secret-name> [client-id]
Prints the value of a secret in an Azure Keyvault. This can be used to fetch credentials and write them to configuation files etc.
Takes AZURE_IDENTITY_TOKEN environment variable to access the keyvault.
If not set, it will fetch a new token automatically.
If you use multiple managed identities on the VM, you can specify client-id explicitly.
get-tag-value-of <tag-name>
Prints the value of the tag with the given name. Can be used to control the behavior of your machine and scripts via Azure VM tags.
list-tags
Prints out the list of tags that are assigned to the VM. One key-value pair by line, easy to parse in scripts.
(superuser only)
report-healthy
Reports to Azure, that the instance was booted successfully. Without the reporting, the status of the instance will be stuck in "booting" in the Azure UI. If you are using health checks in virtual machine scaling sets, the machine would be shut down without the signal.
This tool is automatically called during the boot process in this profile.
(superuser only)
sync-metadata
Fetches the current metadata about the instances from the Azure API server and stores them in the original JSON format but also as a simple shell readable key=value format under /etc/azure/.
Automatically sets up the hostname of the instance and adds the public IP of the instance if one is attached.
This tool is automatically called during the boot process in this profile.