azure-workload-identity icon indicating copy to clipboard operation
azure-workload-identity copied to clipboard

Published 20 hours ago verified publisher icon Azure

Maximum of 20 federated identity credentials per Azure AD Application/Managed identity

Open aramase opened this issue 2 years ago • 7 comments

xref: https://learn.microsoft.com/en-us/graph/api/resources/federatedidentitycredentials-overview?view=graph-rest-1.0#design-considerations

aramase avatar Sep 28 '22 21:09 aramase

This document appears to imply that an AKS cluster can only have 20 federated identities per AKS cluster, is that correct?

https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview#limitations

Or, based on the document you linked above can we have as many managed identities as we like federated into AKS, but each of them can only have 20 federated credentials attached?

Thanks

danbrad avatar Oct 03 '22 21:10 danbrad

Or, based on the document you linked above can we have as many managed identities as we like federated into AKS, but each of them can only have 20 federated credentials attached?

It's 20 federated credentials per Azure AD App/managed identity.

aramase avatar Oct 03 '22 21:10 aramase

Great, thank you!

danbrad avatar Oct 03 '22 21:10 danbrad

Hi @aramase We have the following question about this limitation: For now, we have multi(more than 20) namespaces in aks. Within all of these namespaces, we need to access Azure Resources. However, we hope to only aissgn credential in single 3rd party app. we don't want to create multi 3rd party app. How can we achieve it?

pockyhe avatar Mar 06 '23 07:03 pockyhe

Hi @aramase We have the following question about this limitation: For now, we have multi(more than 20) namespaces in aks. Within all of these namespaces, we need to access Azure Resources. However, we hope to only aissgn credential in single 3rd party app. we don't want to create multi 3rd party app. How can we achieve it?

@pockyhe If you need to use the identity with more than 20 federated identity credentials, it is not possible because of this limitation. You'll need to create another identity.

In the future, this could be supported with wildcards in federated identity credential. Could you add your scenario and details to this issue. This is a growing list of set up and requirements, that the AAD team is looking at as part of supporting wildcards.

cc @udayxhegde

aramase avatar Mar 06 '23 18:03 aramase

Hi, the wildcard feature is delayed for 2 years already, can you please increase the limit to 200?

eyal-moscovici avatar Apr 15 '24 12:04 eyal-moscovici