azure-service-operator icon indicating copy to clipboard operation
azure-service-operator copied to clipboard
verified publisher icon Azure

Improve single-operator multitenancy credential management for Workload Identity

Open matthchr opened this issue 5 months ago • 3 comments

Describe the current behavior

For workload identity in particular, if the user was able to discover the credential details (clientID/etc) via the Azure API and create their own copy of the secret in their namespace, they can use that secret because the FederatedIdentityCredential is for system:serviceaccount:azure-service-operator:azureserviceoperator-default.

Describe the improvement

I think we may be able to harden the single-operator multitenancy against this case by optionally allowing serviceaccount impersonation and allowing you to configure ASO such that it doesn't use its own SA directly to token-exchange with Azure, instead it impersonates a configured SA in the target namespace and uses that SA token -- would need to do more investigation into how exactly this would all work though.

matthchr avatar Jul 07 '25 23:07 matthchr

See where this came up: #4807

matthchr avatar Jul 07 '25 23:07 matthchr

What is the ETA on this? The current implementation of how the workload identity authentication scope works is not acceptable to use from a security perspective where the cluster is shared between different teams.

oysteinje avatar Jul 15 '25 07:07 oysteinje

Ping from my side, too. This is really a security concern and an relatively easy privilege escalation.

boomer41 avatar Dec 06 '25 11:12 boomer41