-
Notifications
You must be signed in to change notification settings - Fork 431
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement UserAssignedMSI auth for ASO #3743
Comments
To recap yesterday's discussion with @CecileRobertMichon to help me understand this:
To follow up with some of the open questions:
No AFAICT. I don't see any new logs in the NMI pod when creating an ASO resource with a Service Principal like this: https://azure.github.io/azure-service-operator/guide/authentication/credential-format/#service-principal-using-a-client-secret
Yes with AAD Pod ID, not without. I can get managed identity working with these instructions: https://azure.github.io/azure-service-operator/guide/authentication/credential-format/#deprecated-managed-identity-aad-pod-identity. Those steps modify the global |
I re-scoped this issue to reflect #3698 no longer implementing /retitle Implement UserAssignedMSI auth for ASO |
/assign |
Follow-up from #3526
CAPZ currently allows users to create an AzureClusterIdentity with
spec.type=UserAssignedMSI
driven by AAD Pod Identity and does not require the manual setup steps of Workload Identity. The same credentials in this case should be propagated to CAPZ's ASO.If AAD Pod Identity support is removed from CAPZ before #3527 closes, then this issue would no longer need to be implemented.
see also:
https://azure.github.io/azure-service-operator/guide/authentication/credential-format/#deprecated-managed-identity-aad-pod-identity
Dependencies
The text was updated successfully, but these errors were encountered: