Skip to content

fix: reject incomplete Azure KV auth#1670

Open
immanuwell wants to merge 1 commit into
fluxcd:mainfrom
immanuwell:fix/azure-auth-fallback
Open

fix: reject incomplete Azure KV auth#1670
immanuwell wants to merge 1 commit into
fluxcd:mainfrom
immanuwell:fix/azure-auth-fallback

Conversation

@immanuwell

@immanuwell immanuwell commented Jun 14, 2026

Copy link
Copy Markdown

This fixes a small Azure Key Vault auth bug.

An incomplete sops.azure-kv config with tenantId and clientId, but no clientSecret or clientCertificate, was slipping into the managed identity path. That hides a bad secret and picks the wrong auth mode.

The fix makes that config fail fast. clientId only still uses managed identity, so existing MI setups keep working.

Repro:

  1. Create a decryption secret with: 
    sops.azure-kv: |
  tenantId: some-tenant-id
  clientId: some-client-id
  2. Before this patch, TokenCredentialFromAADConfig returns *azidentity.ManagedIdentityCredential and no error.
  3. After this patch, it returns an error.

Validation:
make tidy fmt vet && make test

@immanuwell
fix: Reject incomplete Azure KV auth
9b00645 
Return an error when tenantId and clientId are set without a
clientSecret or clientCertificate.

This keeps incomplete service principal configs from silently
falling back to managed identity, which matches the documented
auth modes and makes misconfigurations fail fast.

Signed-off-by: immanuwell <pchpr.00@list.ru>
Assisted-by: Codex/gpt-5
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@immanuwell