Merge pull request #667 from andyzhangx/GetServicePrincipalToken

chore: add resource param into GetServicePrincipalToken
kubernetes-sigs · Jun 17, 2021 · 86d9845 · 86d9845
2 parents 810f9c9 + a055d0d
commit 86d9845
Show file tree

Hide file tree

Showing 3 changed files with 13 additions and 9 deletions.
diff --git a/pkg/auth/azure_auth.go b/pkg/auth/azure_auth.go
@@ -80,14 +80,18 @@ type AzureAuthConfig struct {
 // If NetworkResourceTenantID and NetworkResourceSubscriptionID are specified to have different values than TenantID and SubscriptionID, network resources are deployed in different AAD Tenant and Subscription than those for the cluster,
 // than only azure clients except VM/VMSS and network resource ones use this method to fetch Token.
 // For tokens for VM/VMSS and network resource ones, please check GetMultiTenantServicePrincipalToken and GetNetworkResourceServicePrincipalToken.
-func GetServicePrincipalToken(config *AzureAuthConfig, env *azure.Environment) (*adal.ServicePrincipalToken, error) {
+func GetServicePrincipalToken(config *AzureAuthConfig, env *azure.Environment, resource string) (*adal.ServicePrincipalToken, error) {
 	var tenantID string
 	if strings.EqualFold(config.IdentitySystem, consts.ADFSIdentitySystem) {
 		tenantID = consts.ADFSIdentitySystem
 	} else {
 		tenantID = config.TenantID
 	}
 
+	if resource == "" {
+		resource = env.ServiceManagementEndpoint
+	}
+
 	if config.UseManagedIdentityExtension {
 		klog.V(2).Infoln("azure: using managed identity extension to retrieve access token")
 		msiEndpoint, err := adal.GetMSIVMEndpoint()
@@ -97,13 +101,13 @@ func GetServicePrincipalToken(config *AzureAuthConfig, env *azure.Environment) (
 		if len(config.UserAssignedIdentityID) > 0 {
 			klog.V(4).Info("azure: using User Assigned MSI ID to retrieve access token")
 			return adal.NewServicePrincipalTokenFromMSIWithUserAssignedID(msiEndpoint,
-				env.ServiceManagementEndpoint,
+				resource,
 				config.UserAssignedIdentityID)
 		}
 		klog.V(4).Info("azure: using System Assigned MSI to retrieve access token")
 		return adal.NewServicePrincipalTokenFromMSI(
 			msiEndpoint,
-			env.ServiceManagementEndpoint)
+			resource)
 	}
 
 	oauthConfig, err := adal.NewOAuthConfigWithAPIVersion(env.ActiveDirectoryEndpoint, tenantID, nil)
@@ -117,7 +121,7 @@ func GetServicePrincipalToken(config *AzureAuthConfig, env *azure.Environment) (
 			*oauthConfig,
 			config.AADClientID,
 			config.AADClientSecret,
-			env.ServiceManagementEndpoint)
+			resource)
 	}
 
 	if len(config.AADClientCertPath) > 0 && len(config.AADClientCertPassword) > 0 {
@@ -135,7 +139,7 @@ func GetServicePrincipalToken(config *AzureAuthConfig, env *azure.Environment) (
 			config.AADClientID,
 			certificate,
 			privateKey,
-			env.ServiceManagementEndpoint)
+			resource)
 	}
 
 	return nil, ErrorNoAuth

diff --git a/pkg/auth/azure_auth_test.go b/pkg/auth/azure_auth_test.go
@@ -71,7 +71,7 @@ func TestGetServicePrincipalTokenFromMSIWithUserAssignedID(t *testing.T) {
 	env := &azure.PublicCloud
 
 	for _, config := range configs {
-		token, err := GetServicePrincipalToken(config, env)
+		token, err := GetServicePrincipalToken(config, env, "")
 		assert.NoError(t, err)
 
 		msiEndpoint, err := adal.GetMSIVMEndpoint()
@@ -101,7 +101,7 @@ func TestGetServicePrincipalTokenFromMSI(t *testing.T) {
 	env := &azure.PublicCloud
 
 	for _, config := range configs {
-		token, err := GetServicePrincipalToken(config, env)
+		token, err := GetServicePrincipalToken(config, env, "")
 		assert.NoError(t, err)
 
 		msiEndpoint, err := adal.GetMSIVMEndpoint()
@@ -122,7 +122,7 @@ func TestGetServicePrincipalToken(t *testing.T) {
 	}
 	env := &azure.PublicCloud
 
-	token, err := GetServicePrincipalToken(config, env)
+	token, err := GetServicePrincipalToken(config, env, "")
 	assert.NoError(t, err)
 
 	oauthConfig, err := adal.NewOAuthConfigWithAPIVersion(env.ActiveDirectoryEndpoint, config.TenantID, nil)

diff --git a/pkg/provider/azure.go b/pkg/provider/azure.go
@@ -483,7 +483,7 @@ func (az *Cloud) InitializeCloudFromConfig(config *Config, fromSecret, syncZones
 		return err
 	}
 
-	servicePrincipalToken, err := auth.GetServicePrincipalToken(&config.AzureAuthConfig, env)
+	servicePrincipalToken, err := auth.GetServicePrincipalToken(&config.AzureAuthConfig, env, env.ServiceManagementEndpoint)
 	if errors.Is(err, auth.ErrorNoAuth) {
 		// Only controller-manager would lazy-initialize from secret, and credentials are required for such case.
 		if fromSecret {