azure-resourcemanager-exporter icon indicating copy to clipboard operation
azure-resourcemanager-exporter copied to clipboard
verified publisher icon webdevops

Support single tenant azure configurations

Open Inrixia opened this issue 2 years ago • 7 comments

#16 is great and works perfectly, but if the environment is single tenant then DefaultAzureCredential will fail to authenticate with a given client secret and id:

{"level":"fatal","caller":"azure-resourcemanager-exporter/main.go:147","msg":"DefaultAzureCredential: failed to aquire a token.\nAttempted credentials:\n\tClientSecretCredential: the authority doesn't support tenants"}

Inrixia avatar Mar 13 '24 00:03 Inrixia

Any chance a fix or workaround for this is possible?

Inrixia avatar Mar 17 '24 05:03 Inrixia

@Inrixia sorry for my question, but what is a "single tenant environment"?

azure-resourcemanager-exporer is using https://github.com/Azure/azure-sdk-for-go so if it's supported with the SDK everything should be possible. this exporter is not using an own auth method, it fully relies on the azure sdk.

mblaschke avatar Mar 23 '24 22:03 mblaschke

No problem, I'm unsure tbh, perhaps there is additional configuration needed that's missing but I tried using the cloud config approach in #16 and got as far as the given error with all fields properly filled out.

Using the node.js library for Auth using a ClientSecretCredential instead of a DefaultAzureCredential works but I had to manually specify the authority host (noted in #16) and disable host discovery.

Perhaps the issue is something to do with how DefaultAzureCredential tries to authenticate.

Inrixia avatar Mar 23 '24 22:03 Inrixia

My assumption from the given error was that there is a issue with ad not accepting the authentication request. Potentially due to requiring custom scopes or something else, getting it working in node was finicky so I wouldn't be surprised if it's due to a similar issue I encountered.

I might try grabbing the source and seeing if using a different config/authentication method may get it to work.

I'll update if I make any progress, I doubt there is much you'd be able to do on your end without being able to test.

Inrixia avatar Mar 23 '24 22:03 Inrixia

can you post your configuration? please ensure that uuid and secrets are masked

mblaschke avatar Mar 24 '24 10:03 mblaschke

It's the same as #16 basically. Ill do some more tests in a few weeks when I get time and update with more info then.

Inrixia avatar Mar 24 '24 17:03 Inrixia

So just did some more tests and am still getting this issue.

My docker compose looks like this:

services:
  azure-test:
    image: webdevops/azure-resourcemanager-exporter:23.6.1
    environment:
      AZURE_CLIENT_ID: ****
      AZURE_CLIENT_SECRET: ****
      AZURE_TENANT_ID: ****
      AZURE_SUBSCRIPTION_ID: ****
      AZURE_CLOUD_CONFIG_FILE: ****
      AZURE_ENVIRONMENT: AzurePrivate
      CONFIG: ****
... remaining config for volumes & port

My cloud-config file is in the format of #16 and is working as logging from "caller":"armclient/client.go:85" is reporting the custom endpoints for AzureAD and ResourceManager.

When authenticating using the node.js libraries I have to manually specify scopes when calling credential.getToken() where credential is a ClientSecretCredential.

This can be handled automatically in arm libraries by passing credentialScopes in the options when initializing a arm client.

Perhaps its the scopes that are causing the issue? Its the only thing different to my config that's working in node but the error returned stating "the authority doesn't support tenants" seems weird...

Inrixia avatar Apr 09 '24 01:04 Inrixia