Search code examples
azureopenid-connectazure-managed-identityworkload-identity

Azure Workload Identity Federation and Managed Identity: login.microsoftonline.com returns 401


Given following setup:

  • User assigned identity with federated identity credentials, pointing to AKS's service account, in place
  • An AKS cluster with service account, with OIDC issuer and workload identity enabled, 1.23.8
  • A pod is running, which gets populated with the ENVs
    • AZURE_AUTHORITY_HOST: https://login.microsoftonline.com/
    • AZURE_CLIENT_ID: <my-client-id>
    • AZURE_FEDERATED_TOKEN_FILE: /var/run/secrets/azure/tokens/azure-identity-token
    • AZURE_TENANT_ID: <my-tenant-id>

Using Maven azure-identity for the ManagedIdentity instance:

<dependency>
  <groupId>com.azure</groupId>
  <artifactId>azure-identity</artifactId>
  <version>1.9.0-beta.3</version>
  <!--      <version>1.7.3</version> tried different versions ... -->
</dependency>

Java snippet:

ManagedIdentityCredential managedIdentityCredential =
  new ManagedIdentityCredentialBuilder()
  .build();
QueueClient queue = new QueueClientBuilder()
  .credential(managedIdentityCredential)
  .endpoint("https://<my-storage-account>.queue.core.windows.net")
  .queueName("test")
  .buildClient();

This results in:

java.io.IOException: Server returned HTTP response code: 401 for URL: https://login.microsoftonline.com/\<my-tenant-id>/oauth2/v2.0/token
...
[ForkJoinPool.commonPool-worker-3] ERROR com.azure.identity.ManagedIdentityCredential - Azure Identity => ERROR in getToken() call for scopes [https://storage.azure.com/.default]: Managed Identity authentication is not available.
[ForkJoinPool.commonPool-worker-3] ERROR com.azure.core.implementation.AccessTokenCache - Failed to acquire a new access token.

Any suggestions what might be missing in the picture? Thx!


Solution

  • There might be many reasons leading to this 401 error. But in my particular case: I had a wrong Kubernetes namespace configuration in the Federated Credential ... maybe this helps somebody else, too.