search

hashicorp / consul

Consul is a distributed, highly available, and data center aware solution to connect and configure applications across dynamic, distributed infrastructure.
https://www.consul.io
Other
28.39k stars 4.43k forks source link

Allow specifying user-assigned identity id when using Azure auto-join and MSI #9754

Open jhitt25 opened 3 years ago

jhitt25 commented 3 years ago

Feature Description

When using managed identities with Azure cloud auto-join, the auto-join will not work if multiple user-assigned identities exist on the machine. Per Microsoft documentation: If system assigned managed identity is not enabled, and multiple user assigned managed identities exist, then specifying a managed identity in the request is required. In this instance, consul is unable to obtain an authorization token because the identity id cannot be specified and a default no longer exists.

Use Case(s)

We were intending to leverage consul on our nomad cluster, as well as on legacy systems. As such, we created two managed identities - one for a consul client and one for nomad clients that needed additional access for Azure CSI plugins. On our nomad clients we added both of these identities to new machines, causing a failure to join the existing consul cluster.

sebastianreloaded commented 3 years ago

Since i have the same problem with azure and mutliple user assigned identities: I'm confused, is the lack of support for multiple identities due to hashicorp/consul, hashicorp/go-discovery or Azure/go-autorest?