Connect to Azure Database for PostgreSQL using Azure Workload Identity

[schwichti]

Hi,

is it possible to use Azure Workload Identites to connect to Azure Database for PostgreSQL?
I have the following in mind:

• Create a user managed identity in AAD
• create a service account and link it to the client id associated with the managed identity
• set this service account only for the pods that needs database access

In general, it is possible to connect to Postgresql server using an managed identity as described here: https://learn.microsoft.com/en-us/azure/postgresql/single-server/how-to-connect-with-managed-identity. However, if I create the identity on my own (which I do not assign to the k8s node vms) I cannot get an access token. When I try to get an access token, I get the following error:

wget -O response.json --header='Metadata: true' 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fossrdbms-aad.database.windows.net&client_id=xxxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx'
Connecting to 169.254.169.254:80... connected.
HTTP request sent, awaiting response... 400 Bad Request
2023-04-18 22:01:59 ERROR 400: Bad Request.

I am able to get an access token if I use the managed identity assigned to the k8s nodes. But I do not want this because that means that all pods could get an access token. But I want to give access just to a single pod.

Here you find the steps to reproduce: dspace-group/simphera-reference-architecture-azure#84

[aramase]

I am able to get an access token if I use the managed identity assigned to the k8s nodes. But I do not want this because that means that all pods could get an access token. But I want to give access just to a single pod.

Workload Identity Federation (WIF) doesn't rely on the (169.254.169.254) IMDS, so this step isn't valid if you're using WIF.

From the code perspective, as long as you're using the minimum required Azure Identity SDK version , WIF will work.

[schwichti]

That's truely sad, because I'd happily do without the SDK as it is cloud vendor-specific

[aramase]

@schwichti I'm not sure what you're trying to achieve in this case. The doc shared does have code snippet with DefaultAzureCredential. Are you just looking for a way to get an access token for a managed identity with WIF?

[schwichti]

Yes, but the access token from 169.254.169.254 wont work and I would like to avoid introducing the SDK to the services.

[aramase]

If you're inside the pod that is mutated by the Azure Workload Identity mutating webhook (mwh), you can run the following command to login and get an access token

az login --identity -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID --federated-token $(cat $AZURE_FEDERATED_TOKEN_FILE)
az account get-access-token --resource=<resource url> --query accessToken --output tsv

[schwichti]

Thanks. Looks interesting. I will try that.