-
Notifications
You must be signed in to change notification settings - Fork 192
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using Managed Identity in container workloads #960
Comments
@tomkerkhove, thanks for reporting this issue. Currently, fluent .NET SDK doesn't support the feature yet. And |
Thanks for responding. Is there any ETA to support this or are you waiting for AKS to make it GA? Please note that AAD Pod Identity is a different feature that brings MI to a pod-level. |
@tomkerkhove We will need to check with AKS and see what their plan is. Meanwhile, if this is blocking you, consider using the other tools in the documentation :) |
I presume you are referring to https://github.com/Azure/azure-libraries-for-net/blob/master/AUTH.md#using-azurecredentials then? Thanks for checking! |
@tomkerkhove yes, also if it's convenient for you to use Azure CLI, the managed identities for AKS can be accessed via Azure CLI commands (https://docs.microsoft.com/en-us/azure/aks/use-managed-identity) as previously mentioned |
Any updates on this issue? It's a bit of a mess needing to mix and match both a systemassigned identities and service principal simply because the client library is behind. |
Bump, any update on this? |
@tomkerkhove Just want to clarify with you what you want is:
If it is 1, I think maybe you can use ARM Template to reach the same effect. var region = Region.USEast;
var rg = "randomGroup";
var dnsPrefix = "randomDns123456";
var identity = azure.Identities.Define("randomIdentity")
.WithRegion(region)
.WithNewResourceGroup(rg)
.Create();
azure.Deployments.Define("lkjslkjd")
.WithExistingResourceGroup(rg)
.WithTemplate(File.ReadAllText("azuredeploy.txt"))
.WithParameters($"{{\"identityId\": {{\"value\": \"{identity.Id}\"}}, \"dnsPrefix\": {{\"value\": \"{dnsPrefix}\"}}}}")
.WithMode(Microsoft.Azure.Management.ResourceManager.Fluent.Models.DeploymentMode.Complete)
.Create(); The azuredeploy.txt is attached, which would contains identity parts like: If it is 2 or 3, is there any other tool you have used to reach the same effect? If so, could you provide me those steps about it? |
@tomkerkhove After my testing, since the AKS is used VMSS as backend. The auth type could be Due to the API will be in the new version SDK, you could build SDK by your own or just wait for our new SDK release (may be 1.37.0). Hopefully it could help you. Thanks. |
I'm mainly looking for scenario 2) to connect to Azure APIs by using MSI & AAD Pod Identity. I've used this with Service Bus and other SDKs but am looking to use it for querying Azure Monitor & Azure Resource Graph for http://promitor.io/.
So if I use this today with
Can you elaborate on what SDK you mean here because there are a few? The FLuent API or the new new one? |
@tomkerkhove If you are looking for [2], which means you have already set up [1]. (But from your speaking, I think you may want [3]? Almost, they are similar.) Then, it doesn't depends any new SDK, you could use current SDK to do authentication. Just look at the document: https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity, or my sample for you already has AKS identity.
Yes, it works as long as your agent pool is
You can see the above PR, it will update the Fluent SDK, but need to use raw API rather than Fluent Interface for [1]. (All update is for [1], you may not need it.) |
Query/Question
We are looking to add support for Managed Identity (MI), previously known as Managed Service Identity (MSI), to our application which is running in a Linux container.
As it will be hosted on Kubernetes, we'll use AAD Pod Identity.
However, it's not clear how we should approach this with the current version of the library.
FromMSI
requires us to passMSIResourceType
viaMSILoginInformation
but it only allows us to specify App Service & Virtual Machines, same forFromSystemAssignedManagedServiceIdentity
&FromUserAssigedManagedServiceIdentity
.Is there a way to implement this or is it not supported yet?
Why is this not a Bug or a feature Request?
I'm merely looking how to approach Managed Identity authentication.
Setup (please complete the following information if applicable):
Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report
The text was updated successfully, but these errors were encountered: