Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove ClientID option on KeyVault AccessPolicy #1351

Closed
matthchr opened this issue Jan 11, 2021 · 3 comments
Closed

Remove ClientID option on KeyVault AccessPolicy #1351

matthchr opened this issue Jan 11, 2021 · 3 comments
Labels
known-issue

Comments

@matthchr
Copy link
Member

Describe the current behavior
We have ClientID today and we try to translate that into an ObjectID.

Describe the improvement
It would be great if this worked universally but unfortunately depending on what permissions the ASO service principal or managed identity has on the subscription it may or may not have permission to call the API required to look up the ObjectID from the ClientID. The KeyVault API requires an ObjectID so rather than trying to be smart we should just make the customer supply the same ID that KeyVault expects.
@matthchr matthchr added the task label Jan 11, 2021
@matthchr matthchr mentioned this issue Jan 11, 2021
Closed
matthchr added a commit to matthchr/azure-service-operator that referenced this issue Jan 11, 2021
@matthchr
Provisioning AccessPolicy and KeyVault at same time
64758fe 
The operator was originally reconciling AccessPolicy's after the rest of the KV
had been created (see: Azure#1158). This isn't actually required because even doing
this there are tons of reasons that this can fail. I've filed Azure#1351 to track
removing ClientID from the CRD in a future API version as there are a ton of
obscure ways that we can fail to translate that ID into an ObjectID.
matthchr added a commit to matthchr/azure-service-operator that referenced this issue Jan 11, 2021
@matthchr
Provisioning AccessPolicy and KeyVault at same time
1ecf958 
The operator was originally reconciling AccessPolicy's after the rest of the KV
had been created (see: Azure#1158). This isn't actually required because even doing
this there are tons of reasons that this can fail. I've filed Azure#1351 to track
removing ClientID from the CRD in a future API version as there are a ton of
obscure ways that we can fail to translate that ID into an ObjectID.
@matthchr matthchr mentioned this issue Jan 11, 2021
Merged
2 tasks
matthchr added a commit to matthchr/azure-service-operator that referenced this issue Jan 11, 2021
@matthchr
Provisioning AccessPolicy and KeyVault at same time
4ccf8a4 
The operator was originally reconciling AccessPolicy's after the rest of the KV
had been created (see: Azure#1158). This isn't actually required because even doing
this there are tons of reasons that this can fail. I've filed Azure#1351 to track
removing ClientID from the CRD in a future API version as there are a ton of
obscure ways that we can fail to translate that ID into an ObjectID.
matthchr added a commit to matthchr/azure-service-operator that referenced this issue Jan 12, 2021
@matthchr
Provisioning AccessPolicy and KeyVault at same time
30758f1 
The operator was originally reconciling AccessPolicy's after the rest of the KV
had been created (see: Azure#1158). This isn't actually required because even doing
this there are tons of reasons that this can fail. I've filed Azure#1351 to track
removing ClientID from the CRD in a future API version as there are a ton of
obscure ways that we can fail to translate that ID into an ObjectID.
matthchr added a commit to matthchr/azure-service-operator that referenced this issue Jan 12, 2021
@matthchr
Provisioning AccessPolicy and KeyVault at same time
7448973 
The operator was originally reconciling AccessPolicy's after the rest of the KV
had been created (see: Azure#1158). This isn't actually required because even doing
this there are tons of reasons that this can fail. I've filed Azure#1351 to track
removing ClientID from the CRD in a future API version as there are a ton of
obscure ways that we can fail to translate that ID into an ObjectID.
matthchr added a commit that referenced this issue Jan 12, 2021
@matthchr
Provisioning AccessPolicy and KeyVault at same time (#1352)
892b362 
The operator was originally reconciling AccessPolicy's after the rest of the KV
had been created (see: #1158). This isn't actually required because even doing
this there are tons of reasons that this can fail. I've filed #1351 to track
removing ClientID from the CRD in a future API version as there are a ton of
obscure ways that we can fail to translate that ID into an ObjectID.
@matthchr matthchr mentioned this issue Feb 20, 2021
Closed
@matthchr
Copy link
Member Author

matthchr commented Nov 1, 2021

Leaving this open as an FYI, but not intending to fix this at this time as V1 is in critical fixes only mode.

@stale
Copy link

stale bot commented Apr 16, 2022

This issue has been automatically marked as stale because it has not had activity in 60 days.

@stale stale bot added the stale label Apr 16, 2022
@matthchr
Copy link
Member Author

Closing this given ASOv1 is in maintenance mode and this isn't a critical issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
known-issue
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@matthchr