(feat): Azure MSI authentication

[lukasmrtvy]

Would be nice to support Azure MSI authentication ( https://www.terraform.io/docs/providers/azurerm/guides/managed_service_identity.html#what-is-a-managed-identity- )

Related issues:

• [Proposal] Use System Managed Identity OR User Managed Identity for AKSCluster #292
• Investigate using Azure Identity over autorest #322

[chaholl]

I also have this requirement and looked at what's involved in implementing it - seems pretty straightforward. However, the only question is how it should be configured?

Managed Service Identity is supported by go-autorest so all we need is some conditional logic to determine which config to pass to Authorizer. Does this become another source in ProviderConfig or a particular value in an existing config file eg. clientId: msi as is used in various place in Azure.

[muvaf]

Does this become another source in ProviderConfig or a particular value in an existing config file eg. clientId: msi as is used in various place in Azure.

If I understand it correctly, yes. You can take a look at AWS IRSA implementation as reference https://github.com/crossplane/provider-aws/blob/master/pkg/clients/aws.go#L100

[schdief]

doesn't seem to me like a nice feature, but a necessary change:

• Investigate using Azure Identity over autorest #322
• [Proposal] Use System Managed Identity OR User Managed Identity for AKSCluster #292

today I tried my first steps with crossplane on azure and it stopped pretty soon, since my company doesn't allow the creation of service principals, I can request one centrally, but it won't have Owner permissions, so nevertheless crossplane wouldn't be able to create its own service principals

[Crazyigor1987]

We're also facing the problem, that our company doesn't allow to create service principals. So the way of using Managed Identities is a required one. Are there any plans or discussions to implement the feature soon?

[jacksonicson]

Same here, we need to use Managed Identities. Any feedback on feature implementation plans would be helpful.

[nishant221]

Any estimates on the time by when this will be available?

[ahilmathew]

This would really nice. Need this to start using Crossplane

[jbw976]

Is there any chance that https://github.com/upbound/provider-azure/ would cover your use cases? 🙏

See https://github.com/upbound/provider-azure/blob/main/AUTHENTICATION.md for specifics around authentication

[callum-stakater]

the usage of User Assigned Managed Identity as described in https://github.com/upbound/provider-azure/blob/main/AUTHENTICATION.md is fundamentally broken as it depends on extending Kubelets permissions way beyond the scope of what it should have

the point of using a UAMI with the azure provider is to have the providers kubernetes serviceaccount linked to a dedicated UAMI that has the required permissions to provision the desired infrastructure, kubelets identity should be absolutely nowhere in scope

it should be possible to have multiple azure provider configs each bound to their own kubernetes SA each with their own dedicated UAMI with different permission sets for different tenants/usecases