Open SwatiBaffle opened 5 months ago
@billwert @g2vinay
Thank you for your feedback. Tagging and routing to the team member best able to assist.
We also have the same problem. It seems like the azure-identity-extensions for Java used for authenticating is not supporting Workload Identity. I also opened a issue yesterday
The auth flow for azure-identity
usually looks like: Environment -> Workload Identity -> managed Identity -> ... rest of methods. For the azure-identity-extensions
the Workload Identity step is completely missing from the flow, thus it is still required to use Managed Identity which is deprecated
fyi: https://github.com/Azure/azure-sdk-for-java/issues/39540
Hello @SwatiBaffle
We'll take a look at this and get back to you soon.
Any Update here
Any update on this issue? I am also facing same issue..I am using using azure-identity library with version 1.12.0. I have followed all the steps to enabled workload-identity as mentioned in https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster. Following is the snippet of code I am using -
DefaultAzureCredential managedIdentityCredentialUserAssigned = new DefaultAzureCredentialBuilder() .managedIdentityClientId("bd947a20-baf1-4009-ab9a-c8aa361527a6").build();
AccessToken accessToken = managedIdentityCredentialUserAssigned
.getToken(new TokenRequestContext().setTenantId(tenantId)).block();
String token = accessToken.getToken();
logger.info("token : {}", token);
Here bd947a20-baf1-4009-ab9a-c8aa361527a6 is clientId corresponding to the managed Identity. managedIdentityCredentialUserAssigned.getToken() is throwing following error -
[DEBUG] com.azure.identity.ManagedIdentityCredential - Azure Identity => ERROR in getToken() call for scopes []: Managed Identity authentication is not available.
Is this a defect in Azure SDK for java as discussed above?
Use the WorkloadIdentityCredential to target WorkloadIdentity directly.
TokenCredential workloadIdentityCredential = new WorkloadIdentityCredentialBuilder().build();
If the issue persists, checn and respond with the env vars available in the cluster to verify workload identity is available.
Use the WorkloadIdentityCredential to target WorkloadIdentity directly.
TokenCredential workloadIdentityCredential = new WorkloadIdentityCredentialBuilder().build();
If the issue persists, checn and respond with the env vars available in the cluster to verify workload identity is available.
Please share some snippet of code which show how jdbc client with workload identity works with workload identity. How Token request get generated further this line TokenCredential workloadIdentityCredential = new WorkloadIdentityCredentialBuilder().build();
That's will be helpful
a) Set up postgres database with managed identity b) add this managedIdentity in database psql "host= dbname=postgres user= password=$PGPASSWORD" -c "select * from pgaadauth_create_principal_with_oid(,, 'service', false, false);"
b) Create app which will create JDBC connectivity using postgres db(enabled workload identity) c) Deploy this app using K8 env and verify the flow with JDBC connection k8 already using azure.workload.identity/use: "true" as well as for Service account - azure.workload.identity/client-id:
There are two issue which is faced during this setup
which error out as below ERROR ManagedIdentityCredential:553 - Azure Identity => ERROR in getToken() call for scopes [https://ossrdbms-aad.database.windows.net/.default]: Managed Identity authentication is not available.
Looking for reference doc and step here
create postgres database with workload identity create JDBC app to connect with postgres database