search

Azure / bicep-types-az

Bicep type definitions for ARM resources
MIT License
84 stars 27 forks source link

Creating federated identity fails #2024

Open Krumelur opened 1 year ago

Krumelur commented 1 year ago

Bicep version Bicep VS Code extension v0.12.40

Describe the bug I'm setting up an AKS cluster which uses workload identity (preview). This also involves configuring a federated identity which I can successfully set up in the portal or by running the following AZ CLI command:

az identity federated-credential create --name fedid-idcds25 --identity-name idcds25 --resource-group rg-test-cds25 --issuer https://eastus.oic.prod-aks.azure.com/7[...]6/ --subject system:serviceaccount:importer:workload-identity-sa

Trying to achieve the same result using bicep fails.

To Reproduce The resource I'm deploying to replicate above's AZ CLI command is this:

resource symbolicname 'Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials@2022-01-31-preview' = {
  name: 'fedid-idcds25'
  parent: managedIdentity // resource reference to idcds25
  properties: {
    issuer: [oidcIssuerUrl](https://eastus.oic.prod-aks.azure.com/7[...]6/)
    subject: 'system:serviceaccount:importer:workload-identity-sa'
  }
}

Two things:

  1. The VS Code extension is adamant about requiring audiences as a property within properties. However, this is optional (see AZ CLI command).
  2. If I add empty audiences (like audiences: ['']), the result is a bad request during deployment.

Workaround

Set the audiences like this (undocumented, I found out by inspecting existing resources).

audiences: [
      'api://AzureADTokenExchange'
    ]
alex-frankel commented 1 year ago

Even if something is defaulted in az CLI, it is not a guarantee that it is a default for the API. Where did you try to find the documentation? It would be helpful to open up a github issue on that doc page.

Krumelur commented 1 year ago

Really all I had was https://learn.microsoft.com/en-us/azure/templates/microsoft.managedidentity/userassignedidentities/federatedidentitycredentials?pivots=deployment-language-bicep. It's just saying "reuired" for that param but not, what's expected. You're right though, better documentation would help.

johnpetersjr commented 8 months ago

Just ran into this issue today as well!

Trying to send multiple federated credentials to a single managed identity will not work. Feels like I could add a dependsOn somewhere to maybe make this work in bicep, but haven't figured out how to do that with an array (check on previous item?)

I can provide my code here if this is still an actively worked on issue?

alex-frankel commented 8 months ago

@johnpetersjr - you might want to open up a new issue or start a Discussion. FWIW, if you need to deploy an array of resources serially, you can use the @batchSize(1) decorator:

@batchSize(1)
resource foo '...' = { ... }
johnpetersjr commented 8 months ago

@johnpetersjr - you might want to open up a new issue or start a Discussion. FWIW, if you need to deploy an array of resources serially, you can use the @batchSize(1) decorator:

@batchSize(1)
resource foo '...' = { ... }

Thanks, I found @batchSize(1) as well, but now it just seems that Bicep cannot handle the idempotency of multiple Federated Credentials on a single User Identity, i.e.:

[{"code":"Conflict","message":"Issuer and subject combination already exists for this Managed Identity."}]

I'll start up a new issue with my (not well working) code, as this is an ancient thread, thanks!