Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Missing InjectedIdentity in ProviderConfig #773

Open
1 task done
paulschroeder-tomtom opened this issue Jun 27, 2024 · 2 comments
Open
1 task done

[Bug]: Missing InjectedIdentity in ProviderConfig #773

paulschroeder-tomtom opened this issue Jun 27, 2024 · 2 comments
Labels
bug Something isn't working needs:triage

Comments

@paulschroeder-tomtom
Copy link

paulschroeder-tomtom commented Jun 27, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Affected Resource(s)

No response

Resource MRs required to reproduce the bug

apiVersion: azure.upbound.io/v1beta1
kind: ProviderConfig

Steps to Reproduce

The documentation is inconsistent: it talks about InjectedIdentity but does not offer it as Source

What happened?

Especially InjectedIdentity is interesting for us since we created a managed identity, with federated credentials and bound it to a service account, under which the provider should run. How can we achieve this?

We tried also:

  • UserAssignedManagedIdentity
  • SystemAssignedManagedIdentity

with the necessary info supplied (i.e. subscriptionID, tenantID, ...), after claiming a resource the error messages are all quite similar:

apiVersion: management.azure.upbound.io/v1beta1
kind: ManagementGroup
metadata:
...
  name: xp-test
  forProvider:
    displayName: xp-test
  providerConfigRef:
    name: provider-azure
status:
  atProvider: {}
  conditions:
  - lastTransitionTime: "2024-06-25T15:48:38Z"
    message: 'connect failed: cannot initialize the Terraform plugin SDK async external
      client: cannot get terraform setup: failed to configure the no-fork Azure client:
      failed to configure the provider: [{0 building account: could not acquire access
      token to parse claims: ManagedIdentityAuthorizer: failed to request token from
      metadata endpoint: received HTTP status 400 with body: {"error":"invalid_request","error_description":"Identity
      not found"}  []}]'
    reason: ReconcileError
    status: "False"
    type: Synced

Relevant Error Output Snippet

No response

Crossplane Version

1.16.0

Provider Version

1.3.0

Kubernetes Version

Client Version: v1.28.2 Kustomize Version: v5.0.4-0.20230601165947-6ce0bf390ce3 Server Version: v1.29.2

Kubernetes Distribution

AKS

Additional Info

You may want to add InjectedIdentity here:

provider-upjet-azure/apis/v1beta1/types.go

Lines 55 to 57 in ade234d

// Source of the provider credentials.
// +kubebuilder:validation:Enum=None;Secret;UserAssignedManagedIdentity;SystemAssignedManagedIdentity;OIDCTokenFile;Upbound;Filesystem
Source xpv1.CredentialsSource `json:"source"`
and regenerate.
@paulschroeder-tomtom paulschroeder-tomtom added bug Something isn't working needs:triage labels Jun 27, 2024
@paulschroeder-tomtom paulschroeder-tomtom changed the title [Bug]: Missing InjectedIdentity [Bug]: Missing InjectedIdentity in ProviderConfig Jun 27, 2024
@chatelain-io
Copy link

It seems that you are looking to authentication with Workload Identities. You can look at this.

crossplane-contrib/provider-azure#329

@paulschroeder-tomtom
Copy link
Author

Yes, I have seen this issue and was discarding it, since its for the community provider and not the upjet version. Will have a closer look, thanks.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs:triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@chatelain-io @paulschroeder-tomtom