-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support Azure Workload Identities #5085
Comments
We should keep an eye on Azure/go-autorest#680. Once this PR is merged it should be fairly straightforward to implement in cert-manager. |
Azure/go-autorest#680 has been merged. The latest version (github.com/Azure/go-autorest/autorest/adal v0.9.20) includes it. I have previously hacked together an implementation using the feature branch. I can try to have a go at doing a proper PR on this, but I'll only be able to do so in a few weeks' time. This is how I did it though (in pkg/issuer/acme/dns/azuredns/azuredns.go) if someone wants to have a go: logf.Log.V(logf.InfoLevel).Info("azuredns authenticating with Azure Workload Identity")
awiClientId := os.Getenv("AZURE_CLIENT_ID")
awiTenantId := os.Getenv("AZURE_TENANT_ID")
jwtBytes, err := ioutil.ReadFile(os.Getenv("AZURE_FEDERATED_TOKEN_FILE"))
if err != nil {
return nil, fmt.Errorf("Failed to get Azure Workload Identity token for file: %v", err)
}
jwt := string(jwtBytes)
oauthConfig, err := adal.NewOAuthConfig(env.ActiveDirectoryEndpoint, awiTenantId)
if err != nil {
return nil, fmt.Errorf("failed to retrieve OAuth config: %v", err)
}
spt, err := adal.NewServicePrincipalTokenFromFederatedToken(*oauthConfig, awiClientId, jwt, env.ResourceManagerEndpoint) |
Nice - maybe do a PR and it can get merged? |
Related Slack conversation https://kubernetes.slack.com/archives/C4NV3DWUC/p1655641139820009 |
I've been testing out the preview of AWI and hitting blocks like this with various tooling that doesn't yet support the federated auth. Looking forward to this support in cert-manager |
Issues go stale after 90d of inactivity. |
Stale issues rot after 30d of inactivity. |
@karlschriek sorry to bother you, but I was wondering if you could shed some light on this issue? I'm looking for replacing deprecated aad pod identity. Thanks! |
Azure recently added Azure Workload Identities (see https://github.com/Azure/azure-workload-identity and https://azure.github.io/azure-workload-identity/docs/) to AKS. Officially the functionality is still in Preview, but the approach is quite stable and we are already using it in various production situations.
AWI is essentially the equivalent of AWS's IAM Roles for Service Accounts and works the same. I.e, your cluster becomes an OIDC identity provider and a specific service account in a specific namespace can be designated as federated principal to which Azure IAM roles can be attached. This is significantly more secure than using credentials (i.e. Service Principals with client secrets) or Managed Service Identities (for which the whole Node is able to assume the identity).
Also similarly to IRSA, AWI works by annotating a Service Account, as follows:
By attaching this ServiceAccount to a Pod, we get the following env vars in the Pod:
At the location
AZURE_FEDERATED_TOKEN_FILE
a temporary token is mounted. To be able to use this we would just need to configure Azure authentication to use theAZURE_FEDERATED_TOKEN_FILE
for login.I would really love to see this supported in cert-manager.
/kind feature
The text was updated successfully, but these errors were encountered: