search

Azure / azure-workload-identity

Azure AD Workload Identity uses Kubernetes primitives to associate managed identities for Azure resources and identities in Azure Active Directory (AAD) with pods.
https://azure.github.io/azure-workload-identity
MIT License
298 stars 93 forks source link

"Multiple user assigned identities exist, please specify the clientId / resourceId of the identity in the token request" #699

Closed OmpahDev closed 1 year ago

OmpahDev commented 1 year ago

I have a service account connected via OIDC to a service account and it works like a charm when used for the external secrets operator:

---
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    azure.workload.identity/client-id: <redacted>
    azure.workload.identity/tenant-id: <redacted>
  name: strongdm-secret-store-sa
  namespace: strongdm
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
  name: strongdm-secrets-store
spec:
  provider:
    azurekv:
      authType: WorkloadIdentity
      vaultUrl: https://<redacted>.vault.azure.net/
      serviceAccountRef:
        name: strongdm-secret-store-sa
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: strongdm-relay-secret
spec:
  refreshInterval: 1m
  secretStoreRef:
    name: strongdm-secrets-store
    kind: SecretStore
  target:
    creationPolicy: Owner
  dataFrom:
  - extract:
      key: sdm-node-token

I can then use that external secret to fetch keys from the keyvault, no problem. Works fine. But when I try to have a deployment run as the service account so it can connect to the keyvault API, like this:

kind: Deployment
apiVersion: apps/v1
metadata:
  name: strongdm-relay-deployment
  labels:
    app: strongdm-relay
spec:
  replicas: 1
  selector:
    matchLabels:
      app: strongdm-relay
  template:
    metadata:
      labels:
          app: strongdm-relay
    spec:
      serviceAccountName: strongdm-secret-store-sa
      ....

the application fails to connect to the keyvault and throws the error:

unable to get secrets: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://<redacted>.vault.azure.net/secrets?api-version=2016-10-01&maxresults=1: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Multiple user assigned identities exist, please specify the clientId / resourceId of the identity in the token request"} Endpoint http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fvault.azure.net

How do I get this to work?

aramase commented 1 year ago

@tdevopsottawa I'm not sure if external secrets supports workload identity, so this would be a question for the external secrets authors. I would recommend opening an issue here.

Multiple user assigned identities exist, please specify the clientId / resourceId of the identity in the token request

That is an error message using managed identities without workload identity, so please open an issue in the external secrets repo so they can validate your config and provide a recommendation.

aramase commented 1 year ago

If your application is accessing the key vault API, then you would need to have the minimum required version for the azure identity SDK. The minimum required versions are documented here with samples. Hope this helps!