aad-pod-identity icon indicating copy to clipboard operation
aad-pod-identity copied to clipboard

Published 20 hours ago verified publisher icon Azure

Some example code for using AAD Pod Identity to interact with Azure services

Open cyclelabs-ryanberger opened this issue 4 years ago • 3 comments
trafficstars

Hi, I would like to see some more examples of actually using AAD Pod Identity. I have recently stumbled upon the project, which is super awesome and using the documentation I was able to set it up on my AKS environments. But it really feels like it stops there. There is not a lot of examples of actually utilizing the tool to actually interact with Azure services. Our goal for this is to be able to configure out application to interact with Azure storage accounts (create/delete images from a container)

I think the some example use cases and demo environments (other than just spinning up a pod that shows you that your config is working, which is great) would help users be able to fully envision how this tool can help them and inspire them to bring it into their environments.

I would like to see some example code (selfishly to interact with Azure storage SDK's) and other Azure services

We for example are trying to use the Azure Blob Storage client library v12.10 in our application, and our trying to figure out how we can get this to authenticate with the AAD Pod Identity. We are spinning up pods via a Helm chart, and matching them with the label to our AzureIdentity. I see the identities being created when we spin the helm chart up that creates the pods, so that seems to be all well.

image

But we're getting this error:

[INFO] [2021-09-20 15:02:31.360] [ImageRetrievalService-akka.actor.default-dispatcher-3] [akka.event.slf4j.Slf4jLogger] [undefined] [undefined] Slf4jLogger started [INFO] [2021-09-20 15:02:37.176] [ImageRetrievalService-akka.actor.default-dispatcher-8] [com.tryonsolutions.grpc.GrpcServer] [e33ca4fcc18361d2] [11fbcd04ade88a1d] Server online at http://0:0:0:0:0:0:0:0:9000 [INFO] [2021-09-20 15:06:09.856] [parallel-1] [com.azure.identity.ManagedIdentityCredential] [undefined] [undefined] Azure Identity => Managed Identity environment: AZURE VM IMDS ENDPOINT [INFO] [2021-09-20 15:06:09.861] [parallel-1] [com.azure.identity.ManagedIdentityCredential] [undefined] [undefined] Azure Identity => getToken() result for scopes [https://storage.azure.com/.default]: SUCCESS [INFO] [2021-09-20 15:06:09.862] [parallel-1] [com.azure.core.credential.SimpleTokenCache] [undefined] [undefined] Acquired a new access token. [ERROR] [2021-09-20 15:06:10.685] [ImageRetrievalService-akka.actor.default-dispatcher-11] [akka.actor.typed.ActorSystem] [undefined] [undefined] Error processing StoreImageRequest(60e735847dd9344b8c155e63,bba6c762-cb6f-488e-826d-2ee5cdfdb9dd,1632150367608_screenshot.png,<ByteString@33ab4dc1 size=210941 contents="\211PNG\r\n\032\n\000\000\000\rIHDR\000\000\004\022\000\000\003Q\b\006\000\000\000^3\237\212\000\000\200\000IDATx^\354\335\207\273...">,UnknownFieldSet(Map())) [ERROR] [2021-09-20 15:06:10.691] [ImageRetrievalService-akka.actor.default-dispatcher-11] [akka.actor.typed.ActorSystem] [undefined] [undefined] Error storing image com.azure.storage.blob.models.BlobStorageException: If you are using a StorageSharedKeyCredential, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate method call. If you are using a SAS token, and the server returned an error message that says 'Signature did not match', you can compare the string to sign with the one generated by the SDK. To log the string to sign, pass in the context key value pair 'Azure-Storage-Log-String-To-Sign': true to the appropriate generateSas method call. Please remember to disable 'Azure-Storage-Log-String-To-Sign' before going to production as this string can potentially contain PII. Status code 403, "<?xml version="1.0" encoding="utf-8"?><Error><Code>AuthorizationPermissionMismatch</Code><Message>This request is not authorized to perform this operation using this permission. RequestId:a22cce6e-101e-002b-2731-ae5169000000 Time:2021-09-20T15:06:10.5815355Z</Message></Error>"

Does AAD Pod Identity work with this SDK? am I missing something silly? Anyways, sorry for the sort of question/enhancement request - I am just trying to figure this out.

Thanks a ton.

cyclelabs-ryanberger avatar Sep 20 '21 15:09 cyclelabs-ryanberger

I have never seen this error before but I suspected it's an SDK-related error. aad-pod-identity should work with all of the Azure SDKs that support Managed Identity. DefaultAzureIdentity is a common way to authenticate your application via managed identity in C#, which most of the Azure resource clients accept in their constructor. You can check out this example of how to interact with Azure storage with managed identity.

chewong avatar Sep 20 '21 16:09 chewong

Hi @chewong

That article helped us move forward a bit. Thank you so much for your help. I'll update back here when we're 100% in the clear and utilizing the MIC.

cyclelabs-ryanberger avatar Sep 20 '21 17:09 cyclelabs-ryanberger

If you are using network policies to filter egress traffic from pods, then this might help you: Token requests calls fail with i/o timeout

rafagsiqueira avatar Sep 20 '21 20:09 rafagsiqueira

Hello @ryanberger-az

Were you able to sort out that error while using pod ID for blob?

ajbisht avatar Dec 06 '22 13:12 ajbisht