search

Azure / aksArc

# Welcome to the Azure Kubernetes Service enabled by Azure Arc (AKS Arc) repo This is where the AKS Arc team will track features and issues with AKS Arc. We will monitor this repo in order to engage with our community and discuss questions, customer scenarios, or feature requests. Checkout our projects tab to see the roadmap for AKS Arc!
MIT License
114 stars 45 forks source link

Add Certificate authentication to Set-AKSHCIRegistration, since this cmdlet requires an SPN secret despite many environments disallowing SPN secret creation #379

Closed tisuydam closed 1 week ago

tisuydam commented 2 months ago

Title: Add SPN certificate authentication to Set-AKSHCIRegistration and entire deployment workflow for more secure automation purposes (-skiplogin doesn't work because this cmdlet seems to require an SPN text secret)

Description: Request: I am requesting that certificate authentication of the type "Connect-AzAccount -certificatethumbprint -Tenant -ApplicationId -serviceprincipal" could be used for this cmdlet since Connect-AzAccount is used under the hood anyway. I am also requesting that the AKSHCI workflow can be done entirely with SPN certificate authentication and no secret text keys.

Environment: Windows server 2022 physical servers Public Azure tenant

Problem I am trying to solve: In environments where SPN text secrets are disallowed, this cmdlet does not seem to work. Therefore it is not possible to deploy AKSHCI hybrid clusters even with an SPN having owner or contrib roles on the sub. In environments where I can use SPN text keys, it WILL work. I think maybe the issue is that this specific cmdlet requires an SPN secret even when giving the cmdlet an access token for both graph and arm. I tried to look as far as i could see in the code to see whether the cmdlet is looking for the secret key in the ARMcontext json, because I think that is what is happening rather than relying on context.

This feature could be considered as fixing a security weakness as well as possibly a bug? It seems possible to use the certificate authentication context in order to call all the needed tokens for access instead of using a secret text key.

After testing with version 1.1.4 and 1.2.4 , it seems that neither of the following work : 1) adding the ARM and Graph access tokens like so: Connect-AzAccount -certificatethumbprint -Tenant -ApplicationId -serviceprincipal; $graphtoken = Get-AzAccessToken -ResourceUrl 'https://graph.windows.net/' $armtoken = Get-AzAccessToken -ResourceTypeName Arm Set-AksHciRegistration -subscriptionId "$subid" -resourceGroupName $rg -TenantId $tenantid -GraphAccessToken $graphtoken.token -ArmAccessToken $armtoken.token -AccountId

2) Trying to bypass login to force this cmdlet to rely on the underlying account context: Connect-AzAccount -certificatethumbprint -Tenant -ApplicationId -serviceprincipal; Set-AksHciRegistration -subscriptionId $subid -resourceGroupName $rg -TenantId $tenantid -SkipLogin

No matter what I do, this cmdlet claims "insufficient privileges error" despite the SPN having owner role over the entire subscription so long as the SPN does not have a secret text key. In other environments where I can use SPN secret text keys, this cmdlet will work.

This may also be a possible fix for Set-AksHciRegistration is not saving SPN secret in AzureRmContext.json causes install-AksHci fail

tisuydam commented 2 weeks ago

Still keeping an eye on this.

madhanrm commented 1 week ago

The latest release of https://github.com/Azure/aksArc/releases/tag/AKS-arc-2411 has an update to decouple from Az Accounts module.

$credential = New-Object System.Management.Automation.PSCredential($AzureAppliacationId, ($servicePrincipalKey | ConvertTo-SecureString -AsPlainText -Force) )
Set-AksHciRegistration -SubscriptionId "${AzureSubscriptionID}" -TenantId $tenantId -Credential $credential -ResourceGroupName $azureResourceGroup
Install-AksHci -credential $credential