Migration to Workflow credential identity is throwing error

Question

Migrated using this: https://learn.microsoft.com/en-us/azure/aks/workload-identity-deploy-cluster

but getting the below error in the pod.

Could you please suggest what could be incorrect here?

ResponseBody: {"error":"invalid_client","error_description":"AADSTS700212: No matching federated identity record found for presented assertion audience 'https://uaenorth.oic.prod-aks.azure.com/8255a436-7c7d-43c2-b2f2-3d211e4f5a2d/3aa59942-3480-4b10-8d94-87d2c3d2142e/,https://testcluster-dns-yj4107za.hcp.uaenorth.azmk8s.io,"testcluster-dns-yj4107za.hcp.uaenorth.azmk8s.io"'. Please note that the matching is done using a case-sensitive comparison. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://learn.microsoft.com/entra/workload-id/workload-identity-federation Trace ID: 5529c7af-0d32-4c21-9a2e-441019405601 Correlation ID: 59fbc262-064a-45f0-a8fd-c506665e8a75 Timestamp: 2024-08-27 13:25:49Z","error_codes":[700212],"timestamp":"2024-08-27 13:25:49Z","trace_id":"5529c7af-0d32-4c21-9a2e-441019405601","correlation_id":"59fbc262-064a-45f0-a8fd-c506665e8a75"}

Answer 1

Hi MKD,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Based on the error details you shared, I have shared troubleshooting steps that I felt will help resolve the issue you reported

The error message you encountered indicates an issue with the federated identity setup when migrating to Azure Kubernetes Service (AKS) using workload identity.

Verify the Workload Identity Configuration in Azure AD:

Check that the federated credentials are configured correctly - Issuer URL should match the issuer of the token, Subject should match the value provided by your pod identity setup (typically in the format 'system:serviceaccount:<namespace>:<serviceaccount>') and Audience should be set to 'api://AzureADTokenExchange'

Inspect the token and verify the aud, iss, and sub claims:

To get the token: kubectl exec <pod_name> -n <namespace> -- cat /var/run/secrets/azure/tokens/token

Double check there are no case sensitivity issues with the audience, issuer, or subject claims. Even a small case difference will cause Azure AD to reject the token.

Please refer to the below link for more information.

https://learn.microsoft.com/en-us/entra/workload-id/workload-identity-federation-create-trust?pivots=identity-wif-apps-methods-azp

If you have any further queries, please do let us know.

If the answer is helpful, please click "Accept Answer" and "Upvote it."

Answer 2

Hi MKD,

Thanks for getting back with the detailed explanation.

Based on the information provided, here are some additional suggestions to help resolve the issue.

Please check that the Kubernetes Service Account (SA) used by your pod is correctly annotated with the Azure AD workload identity details.

To check the Annotation: kubectl get serviceaccount <serviceaccount-name> -n <namespace> -o yaml

The Annotation should look like this:

apiVersion: v1

kind: ServiceAccount

metadata:

name: <serviceaccount-name>

namespace: <namespace>

annotations:

azure.workload.identity/client-id: "<your-azure-ad-app-client-id>"

Check the pod's YAML file, it should be configured like this. Check the token:

apiVersion: v1

kind: Pod

metadata:

name: <pod-name>

namespace: <namespace>

spec:

serviceAccountName: <serviceaccount-name>

containers:

- name: <container-name>

image: <image>

volumeMounts:

- mountPath: /var/run/secrets/azure/tokens

name: azure-token

readOnly: true

volumes:

- name: azure-token

projected:

sources:

- serviceAccountToken:

path: token

expirationSeconds: 3600

audience: api://AzureADTokenExchangeIf you have any further queries, please do let us know.If the answer is helpful, please click "Accept Answer" and "Upvote it."