OPA Connection between Azure App Service and Azure Storage Bundle Server using Managed Identity

[vagrawal-nc]

Hello Team,

We have come across an issue when OPA server trying to connect to Bundle server and download the existing policies.

Our OPA Server has been deployed in Azure App Service (Web App for Container) and Azure Storage as Bundle Server. It works fine with Credential as OAuth2 (with Client Id and Secret) however we want it to use Managed Identity based Authentication. We looked into OPA document (https://www.openpolicyagent.org/docs/latest/configuration/#azure-managed-identities-token) and follows the instruction but it is not able to connect. Below are the issues logged as part of connection.

Also docs says the default URL used to get the token is - http://169.254.169.254/metadata/identity/oauth2/token unless supplied.
The question is, will the endpoint for Token will remain same for Azure App Service or the above token URL is only valid for VM based application.
We could not find any docs or solution where an Azure App Service required to connect to Storage so if someone could help us to get this working by any sort of additional configuration.

[ajmal744]

HI @anderseknert, would you be able to please give us any direction on the above issue ?

[anderseknert]

Sorry, I've only had minimal exposure to Azure :( @ledbuttler has recently submitted a PR in this space (thanks for that!) .. perhaps he'll be able to help. Asking in the OPA slack could be another way to find people running OPA on Azure who might be able to answer.