Fix Azure Identity federated Application ID

A recent change on Azure Side forces the server id to include the `.default` suffix. Fixes #33920 Signed-off-by: Tiago Silva <tiago.silva@goteleport.com>
gravitational · Oct 26, 2023 · 814e355 · 814e355
1 parent bf2625b
commit 814e355
Showing 1 changed file with 2 additions and 7 deletions.
diff --git a/lib/cloud/azure/kubernetes.go b/lib/cloud/azure/kubernetes.go
@@ -261,7 +261,6 @@ func (c *aksClient) ClusterCredentials(ctx context.Context, cfg ClusterCredentia
 	default:
 		return nil, time.Time{}, trace.BadParameter("unsupported AKS authentication mode %v", clusterDetails.Properties.AccessConfig)
 	}
-
 }
 
 // getAzureRBACCredentials generates a config to access the cluster.
@@ -279,7 +278,7 @@ func (c *aksClient) getAzureRBACCredentials(ctx context.Context, cluster Cluster
 	}
 
 	if err := c.checkAccessPermissions(ctx, cfg, cluster); err != nil {
-		return nil, time.Time{}, trace.WrapWithMessage(err, `Azure RBAC rules have not been configured for the agent. 
+		return nil, time.Time{}, trace.WrapWithMessage(err, `Azure RBAC rules have not been configured for the agent.
 		Please check that you have configured them correctly.`)
 	}
 
@@ -300,7 +299,6 @@ func (c *aksClient) getUserCredentials(ctx context.Context, cfg ClusterCredentia
 
 	result, err := c.getRestConfigFromKubeconfigs(res.Kubeconfigs)
 	return result, trace.Wrap(err)
-
 }
 
 // getAzureADCredentials gets the client configuration and checks if Kubernetes RBAC is configured.
@@ -378,7 +376,6 @@ func (c *aksClient) getAdminCredentials(ctx context.Context, group, name string)
 	}
 	result, err = checkIfAuthMethodIsUnSupported(result)
 	return result, trace.Wrap(err)
-
 }
 
 // getRestConfigFromKubeconfigs parses the first kubeConfig returned by ListClusterAdminCredentials and
@@ -424,7 +421,7 @@ func (c *aksClient) genAzureToken(ctx context.Context, tentantID string) (string
 		// azureManagedClusterScope is a fixed uuid used to inform Azure
 		// that we want a Token fully populated with identity principals.
 		// ref: https://github.com/Azure/kubelogin#exec-plugin-format
-		azureManagedClusterScope = "6dae42f8-4368-4678-94ff-3960e28e3630"
+		azureManagedClusterScope = "6dae42f8-4368-4678-94ff-3960e28e3630/.default"
 	)
 	cred, err := c.azIdentity(&azidentity.DefaultAzureCredentialOptions{
 		TenantID: tentantID,
@@ -443,7 +440,6 @@ func (c *aksClient) genAzureToken(ctx context.Context, tentantID string) (string
 	}
 
 	return cliAccessToken.Token, cliAccessToken.ExpiresOn, nil
-
 }
 
 // grantAccessWithAdminCredentials tries to create the ClusterRole and ClusterRoleBinding into the AKS cluster
@@ -460,7 +456,6 @@ func (c *aksClient) grantAccessWithAdminCredentials(ctx context.Context, adminCf
 
 	err = c.upsertClusterRoleBindingWithAdminCredentials(ctx, client, groupID)
 	return trace.Wrap(err)
-
 }
 
 // upsertClusterRoleWithAdminCredentials tries to upsert the ClusterRole using admin credentials.