search

Azure / azure-workload-identity

Azure AD Workload Identity uses Kubernetes primitives to associate managed identities for Azure resources and identities in Azure Active Directory (AAD) with pods.
https://azure.github.io/azure-workload-identity
MIT License
298 stars 95 forks source link

Maximum of 20 federated identity credentials per Azure AD Application/Managed identity #575

Open aramase opened 2 years ago

aramase commented 2 years ago

xref: https://learn.microsoft.com/en-us/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0#design-considerations

danbrad commented 2 years ago

This document appears to imply that an AKS cluster can only have 20 federated identities per AKS cluster, is that correct?

https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview#limitations

Or, based on the document you linked above can we have as many managed identities as we like federated into AKS, but each of them can only have 20 federated credentials attached?

Thanks

aramase commented 2 years ago

Or, based on the document you linked above can we have as many managed identities as we like federated into AKS, but each of them can only have 20 federated credentials attached?

It's 20 federated credentials per Azure AD App/managed identity.

danbrad commented 2 years ago

Great, thank you!

pockyhe commented 1 year ago

Hi @aramase We have the following question about this limitation: For now, we have multi(more than 20) namespaces in aks. Within all of these namespaces, we need to access Azure Resources. However, we hope to only aissgn credential in single 3rd party app. we don't want to create multi 3rd party app. How can we achieve it?

aramase commented 1 year ago

Hi @aramase We have the following question about this limitation: For now, we have multi(more than 20) namespaces in aks. Within all of these namespaces, we need to access Azure Resources. However, we hope to only aissgn credential in single 3rd party app. we don't want to create multi 3rd party app. How can we achieve it?

@pockyhe If you need to use the identity with more than 20 federated identity credentials, it is not possible because of this limitation. You'll need to create another identity.

In the future, this could be supported with wildcards in federated identity credential. Could you add your scenario and details to this issue. This is a growing list of set up and requirements, that the AAD team is looking at as part of supporting wildcards.

cc @udayxhegde

eyal-moscovici commented 6 months ago

Hi, the wildcard feature is delayed for 2 years already, can you please increase the limit to 200?

MoussaBangre commented 3 months ago

Please increase this to 200. I do not really understand the reason of this limitation