[BUG] Workload Identity: Projected Azure token has incomplete subject value

[c4milo]

The error we see in our end:

cloud_roles - request_response_helpers.cc:92 - failed during IAM credentials refresh: {"error":"invalid_client","error_description":"AADSTS700213: No matching federated iden ││ tity record found for presented assertion subject 'system:serviceaccount:redpanda:id-rpcloud-9m4e2mr0ui3e8a215n4'. ││  Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. htt ││ ps://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation Trace ID: 57387b21-0009- ││ 4f36-abb1-ca21da303700 Correlation ID: e1a0f18a-a8e8-4079-8c4e-f6da81d6e3c8 Timestamp: 2024-04-23 19:23:57Z","erro ││ r_codes":[700213],"timestamp":"2024-04-23 19:23:57Z","trace_id":"57387b21-0009-4f36-abb1-ca21da303700","correlatio ││ n_id":"e1a0f18a-a8e8-4079-8c4e-f6da81d6e3c8"}

Decoded workload identity token as mounted by AKS: token

In the token above, the service account name and subject assertion are missing the last letter. Here is what the federated identity looks like in the portal:

Expected behavior The projected OIDC access token contains the correct subject assertion.

Additional context I opened a support ticket as well: 2404230040012301

[c4milo]

We found the culprit in our configuration, sorry for the noise!