Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issues when using Azure DevOps federated identity token #413

Closed
chrismilson opened this issue Feb 8, 2024 · 4 comments
Closed

Issues when using Azure DevOps federated identity token #413

chrismilson opened this issue Feb 8, 2024 · 4 comments

Comments

@chrismilson
Copy link

I am trying to use kubelogin as an exec plugin for kubernetes. I am getting the OIDC token from Azure DevOps.

Here is an abridged version of what I'm trying to do:

token="..."
token_file="..."
echo $token > $token_file

# az login succeeds
az login --federated-token $token
az aks get-credentials ...

kubelogin convert-kubeconfig \
  --server-id "6dae42f8-4368-4678-94ff-3960e28e3630" \
  --login workloadidentity \
  --client-id $(servicePrincipalId) \
  --tenant-id $(tenantId) \
  --federated-token-file $token_file \
  --authority-host "https://login.microsoftonline.com/"

kubectl get pods

The kubectl get pods fails with:

Error: failed to get token: failed to acquire token. FromAssertion(): http call(https://login.microsoftonline.com/.../oauth2/v2.0/token)(POST) error: reply status code was 400:
{"error":"invalid_request","error_description":"AADSTS50027: JWT token is invalid or malformed. Trace ID: ... Correlation ID: ... Timestamp: 2024-02-08 18:37:15Z","error_codes":[50027],"timestamp":"2024-02-08 18:37:15Z","trace_id":"...","correlation_id":"...","error_uri":"[https://login.microsoftonline.com/error?code=50027"}](https://login.microsoftonline.com/error?code=50027%22})
E0208 18:37:15.093655   13664 memcache.go:265] couldn't get current server API group list: Get "[https://...:443/api?timeout=32s"](https://.../api?timeout=32s%22): getting credentials: exec: executable kubelogin failed with exit code 1

As you can see, the token just succeeded in authenticating with az login, but I get an error from kubelogin that the token is invalid or malformed. Am I doing something wrong?
@weinong
Copy link
Contributor

weinong commented Feb 10, 2024

never tested it in azure devops. i wonder if the token format is different. Can you try to copy it out and paste to https://jwt.ms to see what it looks like?

@weinong
Copy link
Contributor

weinong commented Feb 10, 2024

@azooinmyluggage can you help take a look? it'd be great if you or your team can provide a writeup on end to end using Azure DevOps with Federated identity to access AKS clusters.

@MarkTallentire
Copy link

MarkTallentire commented Feb 21, 2024
edited
Loading 

 kubelogin convert-kubeconfig `
                    --authority-host $(AZURE_AUTHORITY_HOST) `
                    --login workloadidentity `
                    --federated-token-file $(AZURE_FEDERATED_TOKEN_FILE)

This worked fine for us

@weinong
Copy link
Contributor

weinong commented Feb 23, 2024

please reopen with more info if needed

@weinong weinong closed this as completed Feb 23, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@weinong @chrismilson @MarkTallentire