Skip to content

fix: update azure workload identity authentication to use federated t… #1432

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
abestel wants to merge 1 commit into from
Closed

fix: update azure workload identity authentication to use federated t… #1432

abestel wants to merge 1 commit into from

Conversation

@abestel
Copy link

@abestel abestel commented Nov 17, 2025

…oken directly

Description: (required)

The environment already reads the value of the file, which made the second read with the actual token fail.

Tests Run/Test cases added: (required)

  • Description of test case

Type of Change:

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to not work as expected)
  • Documentation update
  • Refactoring (no functional changes)

@abestel
Copy link
Author

abestel commented Nov 17, 2025

This is a bug that appeared in #1408. cc @VisargD and @b4s36t4

@narengogi narengogi requested a review from b4s36t4 November 18, 2025 09:17
narengogi
narengogi requested changes Nov 18, 2025
View reviewed changes
Copy link
Collaborator

@narengogi narengogi left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hey @abestel I'm assuming you're facing an error with using this mode of authentication with cloudflare workers?
I would that you keep the existing support for file path and add the direct token change separately, you can add a check for the workerd environment if required using import { getRuntimeKey } from 'hono/adapter';

fix(env): avoid reading federated token directly
a2f806a 
`AZURE_FEDERATED_TOKEN_FILE` is a path to a file containing a token, which content can be used to exchanged against a JWT to authenticate against Azure Services. The file should not be read at startup.
@abestel abestel force-pushed the fix/azure-workload-identity branch from 23d8e2d to a2f806a Compare November 18, 2025 10:50
@abestel
Copy link
Author

abestel commented Nov 18, 2025

Hey @abestel I'm assuming you're facing an error with using this mode of authentication with cloudflare workers? I would that you keep the existing support for file path and add the direct token change separately, you can add a check for the workerd environment if required using import { getRuntimeKey } from 'hono/adapter';

Actually that's not the case, but in the meantime I've thought some more about this case, and the token file should not be read at startup anyway, since the content may change during the application lifecycle.

I simplified the change to avoid reading the content of the file when reading the value of the environment variable.

@narengogi
Copy link
Collaborator

narengogi commented Dec 8, 2025

@abestel what is the purpose of not reading from the path? in azure deployments the token file is often rotated so reading from the file is required
wdym by

The environment already reads the value of the file, which made the second read with the actual token fail.

@narengogi narengogi closed this Dec 8, 2025
@abestel
Copy link
Author

abestel commented Dec 8, 2025

@abestel what is the purpose of not reading from the path? in azure deployments the token file is often rotated so reading from the file is required wdym by

The environment already reads the value of the file, which made the second read with the actual token fail.

The token file is read later in the Azure OpenAI implementation, we don’t need to read it at startup. As you’re saying, the token is often rotated, so reading it once at startup is actually a mistake.

What I mean is that the functionality is currently broken because:

  • 1/ the content of the file which path is set in the environment variable is read at startup
  • 2/ in the Azure OpenAI implementation, we expect a file path to be set in the environment variable, but instead it’s the token value, which is failing because this is not a file path anymore.

I’m not sure why you closed this PR, because the current version of Portkey fails to authenticate using workload identities.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@narengogi narengogi narengogi requested changes

@b4s36t4 b4s36t4 Awaiting requested review from b4s36t4

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@abestel @narengogi