From 9b006456313624533b6ae37f0be577a36afa7ade Mon Sep 17 00:00:00 2001 From: immanuwell Date: Sun, 14 Jun 2026 22:00:04 +0400 Subject: [PATCH] fix: Reject incomplete Azure KV auth Return an error when tenantId and clientId are set without a clientSecret or clientCertificate. This keeps incomplete service principal configs from silently falling back to managed identity, which matches the documented auth modes and makes misconfigurations fail fast. Signed-off-by: immanuwell Assisted-by: Codex/gpt-5 --- internal/sops/azkv/config.go | 1 + internal/sops/azkv/config_test.go | 8 ++++++++ 2 files changed, 9 insertions(+) diff --git a/internal/sops/azkv/config.go b/internal/sops/azkv/config.go index 2de7fd889..fa7866336 100644 --- a/internal/sops/azkv/config.go +++ b/internal/sops/azkv/config.go @@ -100,6 +100,7 @@ func TokenCredentialFromAADConfig(c AADConfig) (token azcore.TokenCredential, er }, }) } + return nil, fmt.Errorf("invalid data: requires 'clientSecret' or 'clientCertificate' when both 'tenantId' and 'clientId' are set") } switch { diff --git a/internal/sops/azkv/config_test.go b/internal/sops/azkv/config_test.go index 54153ea8d..1790049fd 100644 --- a/internal/sops/azkv/config_test.go +++ b/internal/sops/azkv/config_test.go @@ -153,6 +153,14 @@ func TestTokenFromAADConfig(t *testing.T) { }, want: &azidentity.ManagedIdentityCredential{}, }, + { + name: "Incomplete Service Principal does not fall back to Managed Identity", + config: AADConfig{ + TenantID: "some-tenant-id", + ClientID: "some-client-id", + }, + wantErr: true, + }, } for _, tt := range tests { t.Run(tt.name, func(t *testing.T) {