Azure supports instance identity verification: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux#tabgroup_14 @Summary Authenticate agent on Azure instance @ID authenticate-agent-on-azure-instance @Security CoderSessionToken @Accept json @Produce js
(rw http.ResponseWriter, r *http.Request)
| 30 | // @Success 200 {object} agentsdk.AuthenticateResponse |
| 31 | // @Router /api/v2/workspaceagents/azure-instance-identity [post] |
| 32 | func (api *API) postWorkspaceAuthAzureInstanceIdentity(rw http.ResponseWriter, r *http.Request) { |
| 33 | ctx := r.Context() |
| 34 | var req agentsdk.AzureInstanceIdentityToken |
| 35 | if !httpapi.Read(ctx, rw, r, &req) { |
| 36 | return |
| 37 | } |
| 38 | instanceID, err := azureidentity.Validate(r.Context(), req.Signature, api.AzureCertificates) |
| 39 | if err != nil { |
| 40 | // Log the full error for operators but return only a |
| 41 | // generic message to the caller. Errors from the |
| 42 | // certificate fetch path may contain fragments of |
| 43 | // internal HTTP responses, so exposing them would be |
| 44 | // an information disclosure risk. |
| 45 | api.Logger.Warn(ctx, "azure identity validation failed", |
| 46 | slog.Error(err), |
| 47 | ) |
| 48 | httpapi.Write(ctx, rw, http.StatusUnauthorized, codersdk.Response{ |
| 49 | Message: "Invalid Azure identity.", |
| 50 | Detail: "Signature verification failed.", |
| 51 | }) |
| 52 | return |
| 53 | } |
| 54 | api.handleAuthInstanceID(rw, r, instanceID, req.AgentName) |
| 55 | } |
| 56 | |
| 57 | // AWS supports instance identity verification: |
| 58 | // https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instance-identity-documents.html |