provider-azure icon indicating copy to clipboard operation
provider-azure copied to clipboard
verified publisher icon crossplane-contrib

(feat): Azure MSI authentication

Open lukasmrtvy opened this issue 5 years ago • 9 comments

Would be nice to support Azure MSI authentication ( https://www.terraform.io/docs/providers/azurerm/guides/managed_service_identity.html#what-is-a-managed-identity- )

Related issues:

  • [ ] https://github.com/crossplane/provider-azure/issues/292
  • [ ] https://github.com/crossplane/provider-azure/issues/322

lukasmrtvy avatar Aug 26 '20 16:08 lukasmrtvy

I also have this requirement and looked at what's involved in implementing it - seems pretty straightforward. However, the only question is how it should be configured?

Managed Service Identity is supported by go-autorest so all we need is some conditional logic to determine which config to pass to Authorizer. Does this become another source in ProviderConfig or a particular value in an existing config file eg. clientId: msi as is used in various place in Azure.

chaholl avatar Mar 17 '21 17:03 chaholl

Does this become another source in ProviderConfig or a particular value in an existing config file eg. clientId: msi as is used in various place in Azure.

If I understand it correctly, yes. You can take a look at AWS IRSA implementation as reference https://github.com/crossplane/provider-aws/blob/master/pkg/clients/aws.go#L100

muvaf avatar Mar 24 '21 10:03 muvaf

doesn't seem to me like a nice feature, but a necessary change:

  • https://github.com/crossplane/provider-azure/issues/322
  • https://github.com/crossplane/provider-azure/issues/292

today I tried my first steps with crossplane on azure and it stopped pretty soon, since my company doesn't allow the creation of service principals, I can request one centrally, but it won't have Owner permissions, so nevertheless crossplane wouldn't be able to create its own service principals

schdief avatar Feb 10 '22 07:02 schdief

We're also facing the problem, that our company doesn't allow to create service principals. So the way of using Managed Identities is a required one. Are there any plans or discussions to implement the feature soon?

Crazyigor1987 avatar Mar 01 '22 12:03 Crazyigor1987

Same here, we need to use Managed Identities. Any feedback on feature implementation plans would be helpful.

jacksonicson avatar Mar 08 '22 08:03 jacksonicson

Any estimates on the time by when this will be available?

nishant221 avatar Feb 15 '23 11:02 nishant221

This would really nice. Need this to start using Crossplane

ahilmathew avatar Apr 24 '23 20:04 ahilmathew

Is there any chance that https://github.com/upbound/provider-azure/ would cover your use cases? 🙏

See https://github.com/upbound/provider-azure/blob/main/AUTHENTICATION.md for specifics around authentication

jbw976 avatar Apr 26 '23 17:04 jbw976

the usage of User Assigned Managed Identity as described in https://github.com/upbound/provider-azure/blob/main/AUTHENTICATION.md is fundamentally broken as it depends on extending Kubelets permissions way beyond the scope of what it should have

the point of using a UAMI with the azure provider is to have the providers kubernetes serviceaccount linked to a dedicated UAMI that has the required permissions to provision the desired infrastructure, kubelets identity should be absolutely nowhere in scope

it should be possible to have multiple azure provider configs each bound to their own kubernetes SA each with their own dedicated UAMI with different permission sets for different tenants/usecases

callum-stakater avatar Dec 18 '23 13:12 callum-stakater