ClientID should be optional when using UserAssignedManagedIdentity

[amirschw]

Proposal

When using UserAssignedManagedIdentity for auth, the ClientID of the Managed Identity (aka identityId) is currently required:

promitor/src/Promitor.Integrations.Azure/Authentication/AzureAuthenticationFactory.cs

Lines 70 to 76 in 7e7a66f

	else if (authenticationConfiguration.Mode == AuthenticationMode.UserAssignedManagedIdentity)
	{
	if (string.IsNullOrWhiteSpace(identityId))
	{
	throw new AuthenticationException("No identity was configured for user-assigned managed identity");
	}
	}

This becomes an issue at scale, because it requires some work to get the ClientID from the resource and put it in the configuration when deploying Promitor. Therefore, since ManagedIdentityCredential doesn't require ClientID (it's only required by IMDS if the VM has multiple user-assigned managed identities, but can be added by NMI when using aad-pod-identity), I suggest making it optional.

Alternatively, ResourceID should be supported in addition to ClientID (it is supported by IMDS and ManagedIdentityCredential). ResourceID is easier to pass in configuration since its value is known even prior to the creation of the resource (/subscriptions/<subscription_id>/resourceGroups/<resource_group_name>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identity_name>).

Related to #2218

Component

Resource Discovery, Scraper

Contact Details

Teams :)

[ravidbro]

+1

[tomkerkhove]

Hm, it's been a while since I looked at user-defined managed identities but isn't the client ID required?

[amirschw]

It is not required, it is only an issue when there's more than one user-assigned managed identity attached to the VM. And even in this case, when aad-pod-identity is used, NMI will add the client id to the request before passing it on to IMDS.

[tomkerkhove]

THank you for the contribution!