-
-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Promitor to support Azure Workload Identity with UserAssignedManagedIdentity #2218
Comments
I was able to find a workaround to get Workload Identity working by using these helm values:
azureAuthentication.identity.id needs to be set to the client id associated with the workload-identity-sa service account, so that it passes Promitor startup validation, and it needs to be the correct client id so that it doesn't override to an incorrect value when calling ManagedIdentityCredential: I have made some small changes to the AzureAuthenticationFactory to make this a little more streamlined. @tomkerkhove would you like me to submit a PR for review? |
100%, thanks a ton! |
I made an assumption that the changes/workaround config would also work for the Scraper. I was testing the Scraper and am now getting different Identity issues. Will spend some time looking at the Azure Monitor auth flow and see if I can find a resolution.
|
It looks to be due to Azure Monitor integration using There is a way to get it working with Scraper by using the Azure Workload Identity proxy sidecar |
Interesting, thanks for sharing! |
I'm having the same issue - workload-identity with resource-discovery works great using: podLabels:
azure.workload.identity/use: "true"
rbac:
serviceAccount:
create: false
name: workload-identity-sa
azureAuthentication:
mode: UserAssignedManagedIdentity but similar settings for scraper don't work (note that I have to also explicitly add the clientId for the workload identity, and provide tenantId and a default subscriptionId, or startup validation will fail): podLabels:
azure.workload.identity/use: "true"
rbac:
serviceAccount:
create: false
name: workload-identity-sa
azureAuthentication:
mode: UserAssignedManagedIdentity
identity:
id: 00000000-0000-0000-0000-000000000000
azureMetadata:
tenantId: 00000000-0000-0000-0000-000000000000
subscriptionId: 00000000-0000-0000-0000-000000000000 and I get
Unfortunately I can't get the workload identity proxy sidecar workaround to work (I think because I don't have the legacy pod identity support in my AKS cluster). I'm not a C# developer at all, but I suspect that if it were possible to get to the switch (authenticationInfo.Mode)
{
case AuthenticationMode.ServicePrincipal:
tokenCredential = new ClientSecretCredential(tenantId, authenticationInfo.IdentityId, authenticationInfo.Secret, tokenCredentialOptions);
break;
case AuthenticationMode.UserAssignedManagedIdentity:
var clientId = authenticationInfo.GetIdentityIdOrDefault();
tokenCredential = new ManagedIdentityCredential(clientId, tokenCredentialOptions);
break;
case AuthenticationMode.SystemAssignedManagedIdentity:
tokenCredential = new ManagedIdentityCredential(options:tokenCredentialOptions);
break;
default:
tokenCredential = new DefaultAzureCredential(); // <-- doesn't appear to be possible to get here, but I think this might work
break;
} (The reason I think this might work is because I've used Azure Identity's Python SDK with user-assigned managed identity and |
Based on the configuration, it should use ManagedIdentityCredential though which is reflected in the logs from above:
This is using aad identity though, not workload identity. I haven't used the proxy though, maybe @dks0296586 can help a bit on this? |
@davecaplinger
I don't believe you need to have aad-pod-identity configured to make use of the workload identity sidecar. I think since the resource discovery is working with workload identity, its just a matter of getting the sidecar proxy working correctly. |
I was missing the |
Hi, we have same problem, but using Unfortunately, this is not safe solution to add root privileges to the container. Is there any way to not use it? Why agent-scraper needs root privileges on the node? @tomkerkhove @dks0296586 any news on that? |
No, unfortunately I am not actively contributing code anymore but happy to review PRs. Learn more on https://blog.tomkerkhove.be/2023/12/09/the-future-of-promitor/ |
Hi @dks0296586 / @davecaplinger , I have raised a PR #2578 for introducing SdkDefault which will use the DefaultAzureCreds, not sure whether this will directly help but seeing from the discussion this might be relevant perhaps ! |
Proposal
With aad-pod-identity being deprecated in favor of Azure Workload Identity, Promitor should support Workload Identity.
In my testing using the current version of Resource Discovery, attempting to use Workload Identity results in the following error:
AADSTS70021: No matching federated identity record found for presented assertion.
I don't believe this is a configuration issue on my end, as I have verified the configuration using the azwi quick-start guide and got that working as expected.
Component
Resource Discovery, Scraper
Contact Details
[email protected]
The text was updated successfully, but these errors were encountered: