Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Release of MSI version 2022-01-31-preview

See original GitHub issue

Related command

az identity

Resource Provider

Microsoft.ManagedIdentity

Description of Feature or Work Requested

MSI has added a new resource Federated Identity Credentials (FIC) as a sub-resource of existing User Assigned Identities “userAssignedIdentities/federatedIdentityCredentials”

CLI is expected to provide CRUD operation for the given sub-resource. Take a look Request example.

high-level documentation: https://aka.ms/ami/wif/docs

FIC object looks like this:

{
        "issuer": "https://oidc.prod-aks.azure.com/IssuerGUID",
        "subject": "system:serviceaccount:ns:svcaccount",
        "audiences": ["api://AzureADTokenExchange"],
}

In AAD context Audiences array is supposed to have exactly one element in most of the cases. Is it possible to make “audiences”: [“api://AzureADTokenExchange”] a default value with the ability to override?

Minimum API Version Required

2022-01-31-preview

Swagger PR link

https://github.com/Azure/azure-rest-api-specs/pull/19548

Request Example

Existing command to create managed identity

az identity create --name $uaId --resource-group $rg --location $location --subscription $subscription

then this managed identity can be used for FIC CRUD operations below. Those 4 operations are expected to become available in CLI.

create/update FIC

az rest --method put `
--url "/subscriptions/$subscription/resourceGroups/$rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$uaId/federatedIdentityCredentials/$ficId?api-version=2022-01-31-PREVIEW" `
--headers "Content-Type=application/json" `
--body "{'properties': { 'issuer': 'https://kubernetes-oauth.azure.com/', 'subject': 'system:serviceaccount:ns:svcaccount', 'audiences': ['api://AzureADTokenExchange'] }}"

read FIC

az rest --method get --url "/subscriptions/$subscription/resourceGroups/$rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$uaId/federatedIdentityCredentials/$ficId?api-version=2022-01-31-PREVIEW"

read all FICs associated with the user-assigned identity

supports paging

az rest --method get --url "/subscriptions/$subscription/resourceGroups/$rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$uaId/federatedIdentityCredentials?api-version=2022-01-31-PREVIEW"

delete fic

az rest --method delete --url "/subscriptions/$subscription/resourceGroups/$rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$uaId/federatedIdentityCredentials/$ficId?api-version=2022-01-31-PREVIEW"

Target Date

July

Additional context

pypi link: https://pypi.org/project/azure-mgmt-msi/6.1.0/ Given API version “2022-01-31-PREVIEW” is available in public cloud, mooncake, fairfax, but not air-gapped clouds

Issue Analytics

State:
Created a year ago
Comments:21 (11 by maintainers)

Top GitHub Comments

2reactions

isolenovcommented, Aug 2, 2022

Hey @yanzhudd thank you for providing CLI commands.

Have one proposal from the team. In our impression ‘–name’ is quite confusing in this context. User is creating federated-credential object and name should refer to this object name.

Would it be possible to change commands this way?

az identity federated-credential --name myFicName  --identity-name myIdentityName

1reaction

isolenovcommented, Aug 9, 2022

this basically means that body cant be deserialized. it should not be “properties”: {} object inside

body should look like this

{ “issuer”: “https://oidc.prod-aks.azure.com/IssuerGUID”, “subject”: “system:serviceaccount:ns:svcaccount”, “audiences”: [“api://AzureADTokenExchange”], }