Open lukasmrtvy opened 4 years ago
I also have this requirement and looked at what's involved in implementing it - seems pretty straightforward. However, the only question is how it should be configured?
Managed Service Identity is supported by go-autorest
so all we need is some conditional logic to determine which config to pass to Authorizer. Does this become another source
in ProviderConfig
or a particular value in an existing config file eg. clientId: msi
as is used in various place in Azure.
Does this become another source in ProviderConfig or a particular value in an existing config file eg. clientId: msi as is used in various place in Azure.
If I understand it correctly, yes. You can take a look at AWS IRSA implementation as reference https://github.com/crossplane/provider-aws/blob/master/pkg/clients/aws.go#L100
doesn't seem to me like a nice feature, but a necessary change:
today I tried my first steps with crossplane on azure and it stopped pretty soon, since my company doesn't allow the creation of service principals, I can request one centrally, but it won't have Owner permissions, so nevertheless crossplane wouldn't be able to create its own service principals
We're also facing the problem, that our company doesn't allow to create service principals. So the way of using Managed Identities is a required one. Are there any plans or discussions to implement the feature soon?
Same here, we need to use Managed Identities. Any feedback on feature implementation plans would be helpful.
Any estimates on the time by when this will be available?
This would really nice. Need this to start using Crossplane
Is there any chance that https://github.com/upbound/provider-azure/ would cover your use cases? 🙏
See https://github.com/upbound/provider-azure/blob/main/AUTHENTICATION.md for specifics around authentication
the usage of User Assigned Managed Identity as described in https://github.com/upbound/provider-azure/blob/main/AUTHENTICATION.md is fundamentally broken as it depends on extending Kubelets permissions way beyond the scope of what it should have
the point of using a UAMI with the azure provider is to have the providers kubernetes serviceaccount linked to a dedicated UAMI that has the required permissions to provision the desired infrastructure, kubelets identity should be absolutely nowhere in scope
it should be possible to have multiple azure provider configs each bound to their own kubernetes SA each with their own dedicated UAMI with different permission sets for different tenants/usecases
Would be nice to support Azure MSI authentication ( https://www.terraform.io/docs/providers/azurerm/guides/managed_service_identity.html#what-is-a-managed-identity- )
Related issues: