Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Promitor to support Azure Workload Identity with UserAssignedManagedIdentity

See original GitHub issue

Proposal

With aad-pod-identity being deprecated in favor of Azure Workload Identity, Promitor should support Workload Identity.

In my testing using the current version of Resource Discovery, attempting to use Workload Identity results in the following error: AADSTS70021: No matching federated identity record found for presented assertion.

I don’t believe this is a configuration issue on my end, as I have verified the configuration using the azwi quick-start guide and got that working as expected.

Component

Resource Discovery, Scraper

Contact Details

benjamin.lawson@dcsg.com

Issue Analytics

  • State:open
  • Created 8 months ago
  • Comments:10 (4 by maintainers)

github_iconTop GitHub Comments

1reaction
davecaplingercommented, Aug 7, 2023

I was missing the securityContext setting; I’ll give that a shot. Thanks!

0reactions
dks0296586commented, Aug 7, 2023

@davecaplinger
Here are the labels and annotations I needed to use for the sidecar proxy to work

securityContext:  
  runAsNonRoot: false #Required for Azure Workload Identity Proxy Injection  
podLabels:  
  azure.workload.identity/use: "true"  
annotations:  
  azure.workload.identity/inject-proxy-sidecar: "true"  
  azure.workload.identity/proxy-sidecar-port: "8080"

I don’t believe you need to have aad-pod-identity configured to make use of the workload identity sidecar. I think since the resource discovery is working with workload identity, its just a matter of getting the sidecar proxy working correctly.

Read more comments on GitHub >

github_iconTop Results From Across the Web

Configure remote write for Azure Monitor managed service ...
To configure remote write for Azure Monitor managed service for Prometheus using Azure AD pod identity, follow the steps below. Create user ...
Read more >
Add support for Azure AD Pod Identity / Manage Identity #444
Provide support to authenticate with aad-pod-identity, using User Assigned Managed Identity.
Read more >
Using Managed Identity in container workloads · Issue #960
I'm mainly looking for scenario 2) to connect to Azure APIs by using MSI & AAD Pod Identity. I've used this with Service...
Read more >
Managed Identities vs Service Principals - when to use what
Promitor is an Azure Monitor scraper that makes the metrics available for Prometheus. When configuring, make sure you use a Managed Identity to ......
Read more >
Frequently Asked Questions - Azure AD Workload Identity
The azwi-cli tool is specific to the Azure Workload Identity support in Kubernetes to group several manual steps (e.g. the creation of federated...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Intermittent fatal errors: InvalidOperationException: Sequence contains no matching element

Next page

Metric labels for dimensions are missing in OpenTelemetry sink