fix

cvvz · Apr 23, 2023 · a312af9 · a312af9
1 parent 51b5ac7
commit a312af9
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 14 deletions.
diff --git a/pkg/provider/azure.go b/pkg/provider/azure.go
@@ -944,6 +944,7 @@ func ParseConfig(configReader io.Reader) (*Config, error) {
 		config.AADClientID = clientID
 	}
 	config.AADFederatedTokenFile = os.Getenv("AZURE_FEDERATED_TOKEN_FILE")
+	config.UseFederatedWorkloadIdentityExtension = config.AADFederatedTokenFile != ""
 	return &config, nil
 }
 

diff --git a/pkg/provider/config/azure_auth.go b/pkg/provider/config/azure_auth.go
@@ -81,7 +81,7 @@ type AzureAuthConfig struct {
 	// The AAD federated token file
 	AADFederatedTokenFile string `json:"aadFederatedTokenFile,omitempty" yaml:"aadFederatedTokenFile,omitempty"`
 	// Use workload identity federation for the virtual machine to access Azure ARM APIs
-	UseWorkloadIdentityExtension bool `json:"useWorkloadIdentityExtension,omitempty" yaml:"useWorkloadIdentityExtension,omitempty"`
+	UseFederatedWorkloadIdentityExtension bool `json:"useFederatedWorkloadIdentityExtension,omitempty" yaml:"useFederatedWorkloadIdentityExtension,omitempty"`
 }
 
 // GetServicePrincipalToken creates a new service principal token based on the configuration.
@@ -104,6 +104,23 @@ func GetServicePrincipalToken(config *AzureAuthConfig, env *azure.Environment, r
 		resource = env.ServiceManagementEndpoint
 	}
 
+	if config.UseFederatedWorkloadIdentityExtension {
+		klog.V(2).Infoln("azure: using workload identity extension to retrieve access token")
+		oauthConfig, err := adal.NewOAuthConfigWithAPIVersion(env.ActiveDirectoryEndpoint, tenantID, nil)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create the OAuth config: %w", err)
+		}
+		jwt, err := os.ReadFile(config.AADFederatedTokenFile)
+		if err != nil {
+			return nil, fmt.Errorf("failed to read a file with a federated token: %w", err)
+		}
+		token, err := adal.NewServicePrincipalTokenFromFederatedToken(*oauthConfig, config.AADClientID, string(jwt), env.ResourceManagerEndpoint)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create a workload identity token: %w", err)
+		}
+		return token, nil
+	}
+
 	if config.UseManagedIdentityExtension {
 		klog.V(2).Infoln("azure: using managed identity extension to retrieve access token")
 		msiEndpoint, err := adal.GetMSIVMEndpoint()
@@ -165,19 +182,6 @@ func GetServicePrincipalToken(config *AzureAuthConfig, env *azure.Environment, r
 			resource)
 	}
 
-	if config.UseWorkloadIdentityExtension {
-		klog.V(2).Infoln("azure: using workload identity extension to retrieve access token")
-		jwt, err := os.ReadFile(config.AADFederatedTokenFile)
-		if err != nil {
-			return nil, fmt.Errorf("failed to read a file with a federated token: %w", err)
-		}
-		token, err := adal.NewServicePrincipalTokenFromFederatedToken(*oauthConfig, config.AADClientID, string(jwt), env.ResourceManagerEndpoint)
-		if err != nil {
-			return nil, fmt.Errorf("failed to create a workload identity token: %w", err)
-		}
-		return token, nil
-	}
-
 	return nil, ErrorNoAuth
 }