[英]google cloud IAM workload identity federation with azure ad 'app registration'/'enterprise applications'
I'm trying to setup Azure AD 'Enterprise Application' to access google cloud from myapps.microsoft.com for both identity and access.我正在尝试设置 Azure AD 'Enterprise Application' 以从 myapps.microsoft.com 访问谷歌云以获取身份和访问权限。
I set up workload identity federation as described in https://cloud.google.com/iam/docs/configuring-workload-identity-federation#azure , however authentication is not working fine with below error.我按照https://cloud.google.com/iam/docs/configuring-workload-identity-federation#azure中的描述设置了工作负载身份联合,但是身份验证无法正常工作,并出现以下错误。
gcloud auth login --cred-file="/Users/pavan-mac/Downloads/clientLibraryConfig-aad-oidc.json"
ERROR: gcloud crashed (TransportError): HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fiam.googleapis.com%2Fprojects%<removed>%2Flocations%2Fglobal%2FworkloadIdentityPools%2Faad-integration%2Fproviders%2Faad-oidc (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7feb69c80a10>: Failed to establish a new connection: [Errno 60] Operation timed out'))
2 questions: 2个问题:
Since you are using the CLI outside of an Azure Virtual Machine you do not have access to an Azure Managed Identity.由于您在 Azure 虚拟机之外使用 CLI,因此您无权访问 Azure 托管标识。 That is the reason for the error regarding the metadata server 169.254.169.254//metadata/identity/oauth2/token
这就是元数据服务器169.254.169.254//metadata/identity/oauth2/token错误的原因
One of the requirements/options for Workload Identity Federation is to create or assign a managed identity to the resource you are running the Google Cloud CLI on. Workload Identity Federation 的要求/选项之一是为您运行 Google Cloud CLI 的资源创建或分配托管身份。
Preparing the external identity provider 准备外部身份提供者
To let an application obtain access tokens for the Azure AD application, you can use managed identities
要让应用程序获取 Azure AD 应用程序的访问令牌,您可以使用托管身份
In this Google document a trick is demonstrated that requires you to fetch an Access Token yourself from the Azure instance metadata service and paste that into the assertion.在此 Google 文档中演示了一个技巧,需要您自己从 Azure 实例元数据服务获取访问令牌并将其粘贴到断言中。 I have not tried that technique but would mean everytime the token expires you would need to repeat the process.
我没有尝试过这种技术,但这意味着每次令牌过期时,您都需要重复该过程。
curl \
"http://169.254.169.254/metadata/identity/oauth2/token?resource=APP_ID_URI&api-version=2018-02-01" \
-H "Metadata: true" | jq -r .access_token
Obtain an access token from the Azure Instance Metadata Service (IMDS) 从 Azure 实例元数据服务 (IMDS) 获取访问令牌
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.