Use Chef Azure InSpec / cinc-auditor with OIDC (federated-token) instead of password

Question

We are currently running test using cinc-auditor and azure inspec and are in the process of changing from password based authentication to OIDC and are not able to run the tests.

We changed from to authenticate against azure using password

az login --service-principal --username "${ARM_CLIENT_ID}" --password "${ARM_CLIENT_SECRET}" --tenant "${ARM_TENANT_ID}" --output none

to authenticating with OIDC token

az login --service-principal --username "${ARM_CLIENT_ID}" --federated-token "${ARM_OIDC_TOKEN}" --tenant "${ARM_TENANT_ID}" --output none

The login works fine, but cinc-auditor doesn't like this and throws this error

ERROR: The following must be set in the Environment: [:tenant_id, :client_id, :client_secret, :subscription_id].

Is it possible to use cinc-auditor/chef while authenticating with federated-token?

Answer 1

The following must be set in the Environment: [:tenant_id, :client_id, :client_secret, :subscription_id]:

According to the above error, it suggests that the tenant_id, ClientID, subscription, client secret must set as an environment variable. To define environment variables, use export keyword as shown below.

export Tenant_ID="xxx"
export Sub_ID="xxx"
export client_ID="xxx"
az login --service-principal -u "xxx" -p "xxxx" --tenant ${Tenant_ID} --federated-token ${token}

Also check the configurations and dependencies of cinc-auditorfunctionality. And also set OIDC token as an environment variable to invoke cinc-auditor to include the token if cinc-auditor supports passing token.

Once it is done, pass InSpec inputs to run the cinc-auditor with the specified environment variables and a command.