Azure Workload Identity

[dks0296586]

Has anyone configured Promitor to use Azure Workload Identity in place of aad-pod-identity?

I've been trying to get it setup based on the azwi quick start docs and made a fair amount of progress.
The problem is I am getting the following error on Promitor resource discovery startup:

Microsoft.Identity.Client.MsalServiceException: AADSTS70021: No matching federated identity record found for presented assertion. Assertion Issuer: 'https://eastus.xxxx.xxxxxx.azure.com/xxxxxxx/xxxxxxxxx/'. Assertion Subject: 'system:serviceaccount:promitor:workload-identity-sa'. Assertion Audience: 'api://AzureADTokenExchange'. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation

I've checked the issuer url in the federated credential has the trailing '/' like called out in thr AZWI troubleshooting steps, but not having any luck.

I've tried letting the helm chart create and label/annotate a service account and I've also created a service account manually, and neither have worked.

[tomkerkhove]

I haven't tried it myself but feel free to open a feature request

[dks0296586]

Will open a feature request now.
I think I've eliminated my setup as being the issue.
I setup the azwi quick-start and was able to get it functioning as expected. I then compared the pod injections and service account labels/annotations with my testing with resource-discovery and they all match.

I'm thinking Promitor would need some changes to account for how Workload Identity presents its tokens to work properly.