You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Although kubelogin addresses kubernetes/kubernetes#86410 to remove spn: prefix in audience claim, you may encounter the same issue while using kubelogin with Managed Service Identity (MSI) in Azure Container Instance (ACI).
For example
az login --identity --username ${MSI_CLIENT_ID}
kubelogin convert-kubeconfig -l azurecli
kubectl get pods
error: You must be logged in to the server (Unauthorized)
## If `guard` log is enabled in AKS control plane, you will see## failed to verify token for azure: oidc: expected audience "6dae42f8-4368-4678-94ff-3960e28e3630" got ["spn:6dae42f8-4368-4678-94ff-3960e28e3630"]
The issue is in ACI where they have different infrastrucutres such that the returned MSI token on legacy one will include spn: prefix in audience claim. You can verify by examining the AAD token by kubelogin get-token --server-id 6dae42f8-4368-4678-94ff-3960e28e3630 --client-id ${MSI_CLIENT_ID} --login msi and paste the access token to https://jwt.ms and look at the audience claim. If it has spn:, your ACI is running on the legacy infrastructure.
Mitigation
Please open support request to ACI team to migrate your subscription
weinong
changed the title
[known issue] kubelogin may not work with MSI when run in Azure Container Instance
kubelogin may not work with MSI when run in Azure Container Instance
Feb 12, 2022
Problem
Although
kubelogin
addresses kubernetes/kubernetes#86410 to removespn:
prefix inaudience
claim, you may encounter the same issue while usingkubelogin
with Managed Service Identity (MSI) in Azure Container Instance (ACI).For example
The issue is in ACI where they have different infrastrucutres such that the returned MSI token on legacy one will include
spn:
prefix inaudience
claim. You can verify by examining the AAD token bykubelogin get-token --server-id 6dae42f8-4368-4678-94ff-3960e28e3630 --client-id ${MSI_CLIENT_ID} --login msi
and paste the access token to https://jwt.ms and look at theaudience
claim. If it hasspn:
, your ACI is running on the legacy infrastructure.Mitigation
Please open support request to ACI team to migrate your subscription
References
#30 #61
The text was updated successfully, but these errors were encountered: