Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support Azure Workload Identity out of the box #594

Open
mlushpenko opened this issue Dec 5, 2023 · 2 comments
Open

Support Azure Workload Identity out of the box #594

mlushpenko opened this issue Dec 5, 2023 · 2 comments
Labels
kind/enhancement Improvements or new features

Comments

@mlushpenko
Copy link

Hello!

  • Vote on this issue by adding a 👍 reaction
  • If you want to implement this feature, comment to let us know (we'll work with you on design, scheduling, etc.)

Issue details

I've followed this tutorial to setup workload identity on GKE to communicate with Azure, and it is working well, I see the following variables automatically propagated inside my pods on GKE cluster:

AZURE_AUTHORITY_HOST=https://login.microsoftonline.com/
AZURE_CLIENT_ID=XXXXXXXX
AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token
AZURE_TENANT_ID=XXXXX

But Pulumi is asking for different variables like ARM_USE_OIDC, ARM_CLIENT_ID , ARM_OIDC_TOKEN , etc. It would be great if Pulumi supported such setup out of the box without additional configuration.

According to docs, you only need to use DefaultAzureCredential method and it will try all available options one by one, including workload identity.

I hope this is helpful.
@mlushpenko mlushpenko added kind/enhancement Improvements or new features needs-triage Needs attention from the triage team labels Dec 5, 2023
@iwahbe iwahbe removed the needs-triage Needs attention from the triage team label Dec 6, 2023
@iwahbe
Copy link
Member

iwahbe commented Dec 6, 2023

Hi @mlushpenko. Thanks for the feedback.

@mlushpenko
Copy link
Author

@iwahbe we've just launched one python service with workload identity from GKE to Azure, and apart from the webhook setup, this is the only thing we needed in our python code:

from azure.identity import DefaultAzureCredential
from azure.mgmt.monitor import MonitorManagementClient

credentials = DefaultAzureCredential()
monitor_client = MonitorManagementClient(
     credentials, AZURE_SUBSCRIPTION_ID
  )

@aureq aureq mentioned this issue Jun 21, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/enhancement Improvements or new features
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mlushpenko @iwahbe