Share via

Azure Workload Identity Get token issue

Dipten Halder 0 Reputation points
2024-01-17T07:22:14.97+00:00

Hello Team I am trying to setup password less authentication on Postgres SQL using workload identity. I am following the below url.

But pod getting failed. Here is the error.

---2024-01-17 07:09:24,145 INFO [com.azure.identity.ManagedIdentityCredential] (ForkJoinPool.commonPool-worker-1) Azure Identity => Managed Identity environment: AZURE AKS TOKEN EXCHANGE 2024-01-17 07:09:24,145 INFO [com.azure.identity.ManagedIdentityCredential] (ForkJoinPool.commonPool-worker-1) Azure Identity => getToken() result for scopes [https://ossrdbms-aad.database.windows.net/.default]: SUCCESS 2024-01-17 07:09:24,145 INFO [com.azure.identity.ChainedTokenCredential] (ForkJoinPool.commonPool-worker-1) Azure Identity => Attempted credential ManagedIdentityCredential returns a token 2024-01-17 07:09:24,146 FINE [org.postgresql.Driver] (agroal-11) Connection error: : org.postgresql.util.PSQLException: Unable to acquire access token

Pod already have the environment setup.

Environment:
      DBHOST:                      bm-kc-db
      DBNAME:                      keycloak
      AZURE_MI_NAME:               bm-sandbox-user
      AZURE_CLIENT_ID:             a03ccccc24-36bb-44f8-8ccc6-3hhhfff3f5b0
      AZURE_TENANT_ID:             edfxxxxf5-b994-4c86-a131-xxxxx
      AZURE_FEDERATED_TOKEN_FILE:  /var/run/secrets/azure/tokens/azure-identity-token
      AZURE_AUTHORITY_HOST:        https://login.microsoftonline.com/
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,317 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. deherman-MSFT 37,876 Reputation points Microsoft Employee
    2024-01-19T17:56:31.3866667+00:00

    @Dipten Halder
    Please check the following, if it doesn't resolve your issues please let me know and we can work with you directly to investigate further:

    • Check the environment variables: Make sure the pod has the correct environment variables set up for the managed identity, such as AZURE_CLIENT_ID, AZURE_TENANT_ID, and AZURE_AUTHORITY_HOST. You can use the kubectl exec command to inspect the pod’s environment variables.
    • Verify the managed identity: Ensure that the pod has a valid managed identity assigned to it, and that the identity has the appropriate permissions to access the PostgreSQL database. You can use the kubectl get azureidentity and kubectl get azureidentitybinding commands to check the identity and binding status.
    • Test the access token: Try to obtain an access token from the pod using the az login and az account get-access-token commands. If the token is successfully retrieved, use it to connect to the PostgreSQL database using a tool like psql or pgAdmin. If the token is invalid or expired, you may need to refresh it or troubleshoot the token exchange service.
    • Review the logs: Examine the logs of the pod and the PostgreSQL database to look for any errors or warnings related to the authentication or connection. You can use the kubectl logs command to view the pod’s logs, and the Azure portal to access the database’s logs.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.