Channels
#azure
Title
t
thankful-thailand-77405
08/10/2023, 6:57 AMHello all,
I am trying to configure pulumi-azure-native to authenticate to azure AD, using workload identity (~pulumi plugin being run from within aks cluster and manages other azure infra resources).
I cannot manage to migrate from a aad-pod-identity setup to a workload identity, I am following this: azure-native/installation-configuration/#authenticate-using-managed-service-identity-msi
Has anybody managed to make this setup work? My guess is ADAL deprecated lib is being used instead of MSAL for this, but I am no expert on how Pulumi works under the hood.
This is the error I get
Copy code
pulumi:pulumi:Stack (operator-environment.artigas-int.shared):
error: an unhandled error occurred: 1 error occurred:
* failed to lookup PostgreSQL server: rpc error: code = Unknown desc = invocation of azure-native:dbforpostgresql/v20210601preview:getServer returned an error: request failed /subscriptions/<****>/resourceGroups/default/providers/Microsoft.DBforPostgreSQL/flexibleServers/fr-test-4: azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to <https://management.azure.com/subscriptions/><****>/resourceGroups/default/providers/Microsoft.DBforPostgreSQL/flexibleServers/fr-test-4?api-version=2021-06-01-preview: StatusCode=404 -- Original Error: adal: Refresh request failed. Status Code = '404'. Response body: getting assigned identities for pod operator/operator-controller-manager-6fc967455-5rsls in CREATED state failed after 16 attempts, retry duration [5[]s, error: <nil>. Check MIC pod logs for identity assignment errors
Endpoint <http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F>@melodic-tomato-39005 I saw you closed issues/1566 yesteday, is ADAL deprecation coming to the plugin?
m
melodic-tomato-39005
08/13/2023, 9:29 PMHi @thankful-thailand-77405, sorry you’re running into trouble here.
• What version of pulumi-azure-native are you using?
• Did you per chance set `msiEndpoint`/`ARM_MSI_ENDPOINT`?
t
thankful-thailand-77405
08/14/2023, 6:49 AMHello Thomas, thanks for replying. I am running 1.103, so one of the latest before the major version upgrade. I didnt set MSI ENPOINT, I assumed this shouldn't be touched.
m
melodic-tomato-39005
08/14/2023, 7:13 PMHi Federico, by workload identity, do you mean this and this?
I haven’t yet configured this myself. It seems different from the scenarios https://www.pulumi.com/registry/packages/azure-native/installation-configuration/#authenticate-using-managed-service-identity-msi is intended for, like running a program on a trusted VM.
The “adal” error in your logs is indeed odd, MSAL should be used. Did you set `useMsi`/`ARM_USE_MSI`?
t
thankful-thailand-77405
08/15/2023, 1:48 PMHello Thomas, I agree MSI vanilla use case is the one where Azure VMs are prepopulated w/ credentials that allow you to do "MSI" for secret-less auth of workloads.
My comprehension is that, now, with new azure identity libraries MSI auth is also possible on containers using federated workload identities, and that these libraries (like MSAL) handle the token exchange needed all under the hood
I read that this depends on the MSAL version being used though..
What troubles me now, is that today I testing a new setup, where I try to do simple a
pulumi loginmeaning either I am mis-understanding this workload id auth thing, or that pulumi cli has the same issue azure-native for auth
cc @bored-spoon-83710
@melodic-tomato-39005 we noticed today that azidentity has not been updated for a while https://github.com/pulumi/pulumi-azure-native/blob/master/provider/go.mod#L45 which is reason why MSI auth not working when running azure-native as k8s workloads. The workload identity requries = azidentity v1.3.0> , we would happily contribute to this. How should we proceed?
Please note that aad-pod-identity (previous solution to workload identity), has been deprecated quite abruptly and AKS drops add on support this month: