Share via

AKS Python app pod using Workload Identity Fail to use ManagedIdentity

Elad Tal 1 Reputation point Microsoft Employee
2023-10-06T08:10:38.42+00:00 
Source code repo: azure-aks-scaler/app/azure_connector.py at main · eladtpro/azure-aks-scaler (github.com)

I am deploying a demo python app that uses "azure.mgmt.containerservice" library for executing management opertations on Azure Kubernetes Service.
In this app I demonstrate two types of authentications:
Authenticate using Appplication - for local development): Using client-id with client-secret (DefaultAzureCredential).
Authenticate using MangedIdentity - for running on AKS: Using ManagedIdentity with client-id only (ManagedIdentityCredential).

The Managed Identity has Federated credentials defined and mapped to an AKS service account and the following role assignments: 
Resource Group: Contributor
AKS: Azure Kubernetes Service RBAC Cluster Admin

I have successful results when using the "DefaultAzureCredential" which uses AZURE_CLIENT_ID and AZURE_CLIENT_SECRET environment variables like in the following code:
            creds = ContainerServiceClient(
            DefaultAzureCredential(), AzureConfig.SUBSCRIPTION_ID)

But when I try to use ManagedIdentityCredential while passing the Managed Identity Client-Id like in the following code i get an error:
          creds = ContainerServiceClient(
            ManagedIdentityCredential(client_id=client_id), AzureConfig.SUBSCRIPTION_ID)

As a result I get the following error:
"azure.identity._exceptions.CredentialUnavailableError: ManagedIdentityCredential authentication unavailable. The requested identity has not been assigned to this resource"

What am i missing?
Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,447 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. vipullag-MSFT 26,487 Reputation points Moderator
    2023-10-16T04:10:21.3466667+00:00

    Hello Elad Tal

    Welcome to Microsoft Q&A Platform, thanks for posting your query here.

    Based on internal team suggestion, summarizing below:

    Error “The requested identity has not been assigned to this resource" means that the user assigned managed identity (MI) referred by the client_id hasn’t been assigned to your Azure VM yet.

    Managed Identity uses IMDS to get access token, you can try testing it from your Azure VM’s Linux shell by running the command below to query IMDS directly and see if you can get an access token by using the same client_id.

    CLIENT_ID=<MI_client_id>

    curl "[http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fmanagement.azure.com%2F&client_id=${CLIENT_ID}]" -H Metadata:true -s

    If the Managed Identity is assigned to VM correctly you should get an access token. Otherwise, you will be getting “Identity not found” error.

    Please refer below document to assign user assigned Managed Identity to VM:

    https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-cli-windows-vm#assign-a-user-assigned-managed-identity-to-an-existing-azure-vm

    Hope this helps.
    If the suggested response helped you resolve your issue, please 'Accept as answer', so that it can help others in the community looking for help on similar topics.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.