[azure] Pod fails to obtain token, when 2 MSI are assigned to VM scale set #1548
Comments
|
Even 2 User Identities both with the proper permissions (Read on Resource Group, Contributor to DNS Zone) causes this error. |
|
I'm also getting this error when using AKS with managed identity auth enabled (which configures two other User assigned managed identities). Is there a workaround until this is fixed? |
|
I'm still getting this error, please is there a workaround for now? |
|
As explained above, this issue occurred when more than 1 user assigned Managed Identity is associated with the Virtual Machine Scale Set. Adding a particular user assigned managed identity in the azure.json which is then used to create the secret resolved the issue for me. { |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
|
/remove-lifecycle rotten |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
|
/remove-lifecycle stale |
|
@digitamind I was following current azure guide and I am not sure how to get the |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
|
Stale issues rot after 30d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-contributor-experience at kubernetes/community. |
|
@darkn3rd if you have Azure AADPodIdentity setup in the cluster then you can use the following configuration to bind external-dns to the managed identity: apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentity
metadata:
name: my-external-dns
namespace: kube-system
spec:
type: 0
resourceID: /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/my-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/my-external-dns
# az ad sp list --filter "displayName eq 'my-external-dns'" -o tsv --query '[].appId'
clientID: 00000000-0000-0000-0000-000000000000
---
apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
name: my-external-dns-binding
namespace: kube-system
spec:
azureIdentity: my-external-dns
selector: my-external-dnsAnd for the external-dns pod, add the following label: |
|
/remove-lifecycle rotten |
|
This also happens when using "useManagedIdentityExtension": true which means you are forced to not use this option and spin up your own user assigned identity and use that instead. This issue needs resolving so that we can use the "useManagedIdentityExtension": true option |
|
@njuettner, In this issue here: Azure/aad-pod-identity#778 (comment) it was stated that the above code was used to solve this issue. |
|
Hello all, any news on this issue? My customer is concerned by it. |
|
@MCKLMT I do not have this this issue when using AAD Pod Identity. I have the default assigned managed identity, and one that I created, which grants access Azure DNS. I am using the preview feature to automate the process, just in case that makes things work. |
For those who are still struggling with, please follow @digitamind suggestion, thanks buddy, you saved my day! |
|
The Kubernetes project currently lacks enough contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle stale |
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /lifecycle rotten |
|
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues and PRs. This bot triages issues and PRs according to the following rules:
You can:
Please send feedback to sig-contributor-experience at kubernetes/community. /close |
|
@k8s-triage-robot: Closing this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
|
We are still having this issue. Any fixes or workaround on this? |
What happened: Pod fails to refresh token when more than 1 user assigned Managed Identity is associated with the Virtual Machine Scale Set.
time="2020-04-28T21:47:44Z" level=error msg="azure.BearerAuthorizer#WithAuthorization: Failed to refresh the Token for request to https://management.azure.com/subscriptions/6100196f-6f28-4a23-9ab0-2e6ccc491527/resourceGroups/EastUS-EQS-AKS-SYSENG/providers/Microsoft.Network/dnsZones?api-version=2018-05-01: StatusCode=400 -- Original Error: adal: Refresh request failed. Status Code = '400'. Response body: {"error":"invalid_request","error_description":"Identity not found"}"
What you expected to happen: Use the correct identity or at least show a message that the correct identity to use must be defined.
How to reproduce it (as minimally and precisely as possible):
Start an external-dns pod in a cluster with the Virtual Machine Scale Set using 2 User assigned identities
Anything else we need to know?:
Removing any of the assigned identities make it work, preferably remove the one that doesn't have permissions to the DNS zone you want to manipulate.
azure.json:
{
"tenantId": "cb333d92-redacted-bd",
"subscriptionId": "6100196f-redacted-27",
"resourceGroup": "EastUS-EQS-AKS-SYSENG",
"useManagedIdentityExtension": true
}
Adding to the azure.json "userAssignedIdentityID": "404a9933-redacted-582", didn't work either (but I'm not sure what this option is used for)
Environment:
external-dns --version): v20200401-v0.7.1The text was updated successfully, but these errors were encountered: