fix: Invalid Azure Scope #231
Conversation
|
@relu Added more information and my sign-off. |
|
Hey @s-bauer, The scope works okay. What is needed is to install AAD Pod Identity, create Azure identity and azure identity binding, then add a |
|
@somtochiama Yea I know this is supposed to be used with the pod identity, but as it has several limitations and there is a pod identity v2 coming, I want to avoid using it at the moment. I've applied a Kustomize patch to the image-reflector-controller to add the The only thing that didn't work is the scope as the url ("https://management.azure.com/") is simply not a valid scope for AAD. I'm not sure why pod identity works with that scope. If you have an environment with pod-identity, can you please check if it is also working correctly with the "/.default" suffix? |
|
I have verified that this scope works with aad pod identity too |
|
Awesome! BTW, just seen about "Azure Workload Identity" which is replacing pod identity and now available in preview: https://azure.github.io/azure-workload-identity/docs/introduction.html |
|
I've done some tests with the new Azure Workload Identity package and unfortunately it's not yet working with the image-reflector-controller. This is due to the reason that the azure identity library for go does not yet support authentication using federated identities yet (Tracked in Azure/azure-sdk-for-go#15615). A workaround would be to use msal like the example at https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-go or to simply wait until the azure identity sdk for go is updated. |
|
@s-bauer I caught up with @hiddeco on this and we agreed on merging this PR to fix the Azure Scope issue, and then add support for Azure Workload Identity as a separate issue. Can you rebase this PR please? |
Azure requires a full scope and not only the URL to be able to acquire a token. As the flow uses application permissions and not delegate permissions, the scope needs to end in "/.default" as described in https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#request-the-permissions-in-the-app-registration-portal Signed-off-by: Simon Bauer <bauer-s-public@outlook.com>
|
Done! |
|
Thank you @s-bauer 🙇 |
The scope is missing a
/.defaultat the end and thereby prevented me from acquiring a valid access token.Azure requires a full scope and not only the URL to be able to acquire a token. As the flow uses application permissions and not delegate permissions, the scope needs to end in "/.default" as described in https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#request-the-permissions-in-the-app-registration-portal