谷歌云 IAM 工作负载身份联合与 azure 广告“应用注册”/“企业应用程序”
[英]google cloud IAM workload identity federation with azure ad 'app registration'/'enterprise applications'
问题描述
I'm trying to setup Azure AD 'Enterprise Application' to access google cloud from myapps.microsoft.com for both identity and access.
我正在尝试设置 Azure AD 'Enterprise Application' 以从 myapps.microsoft.com 访问谷歌云以获取身份和访问权限。
I set up workload identity federation as described in https://cloud.google.com/iam/docs/configuring-workload-identity-federation#azure , however authentication is not working fine with below error.我按照https://cloud.google.com/iam/docs/configuring-workload-identity-federation#azure中的描述设置了工作负载身份联合,但是身份验证无法正常工作,并出现以下错误。
gcloud auth login --cred-file="/Users/pavan-mac/Downloads/clientLibraryConfig-aad-oidc.json"
ERROR: gcloud crashed (TransportError): HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fiam.googleapis.com%2Fprojects%<removed>%2Flocations%2Fglobal%2FworkloadIdentityPools%2Faad-integration%2Fproviders%2Faad-oidc (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7feb69c80a10>: Failed to establish a new connection: [Errno 60] Operation timed out'))
2 questions: 2个问题:
- I suspect the issue is around attribute mapping.我怀疑问题出在属性映射上。 What's the ideal config to specify attributes when using Azure AD OIDC provider?使用 Azure AD OIDC 提供程序时指定属性的理想配置是什么?
- I would like to be able to assign users/groups in Azure AD enterprise application with mapped roles in google cloud (say, owner/editor/viewer roles) using workload federation feature in GCP.我希望能够使用 GCP 中的工作负载联合功能为 Azure AD 企业应用程序中的用户/组分配 Google 云中的映射角色(例如,所有者/编辑者/查看者角色)。 Can someone help me understand how to link the roles from azure ad to service account in GCP with correct attributes mapping?有人可以帮助我了解如何使用正确的属性映射将 azure 广告中的角色链接到 GCP 中的服务帐户吗?
1 个解决方案
解决方案1
0 2021-12-23 03:36:25
Since you are using the CLI outside of an Azure Virtual Machine you do not have access to an Azure Managed Identity.由于您在 Azure 虚拟机之外使用 CLI,因此您无权访问 Azure 托管标识。 That is the reason for the error regarding the metadata server 169.254.169.254//metadata/identity/oauth2/token这就是元数据服务器169.254.169.254//metadata/identity/oauth2/token错误的原因
One of the requirements/options for Workload Identity Federation is to create or assign a managed identity to the resource you are running the Google Cloud CLI on. Workload Identity Federation 的要求/选项之一是为您运行 Google Cloud CLI 的资源创建或分配托管身份。
Preparing the external identity provider 准备外部身份提供者
To let an application obtain access tokens for the Azure AD application, you can use managed identities
In this Google document a trick is demonstrated that requires you to fetch an Access Token yourself from the Azure instance metadata service and paste that into the assertion.在此 Google 文档中演示了一个技巧,需要您自己从 Azure 实例元数据服务获取访问令牌并将其粘贴到断言中。 I have not tried that technique but would mean everytime the token expires you would need to repeat the process.我没有尝试过这种技术,但这意味着每次令牌过期时,您都需要重复该过程。
curl \
"http://169.254.169.254/metadata/identity/oauth2/token?resource=APP_ID_URI&api-version=2018-02-01" \
-H "Metadata: true" | jq -r .access_token
Obtain an access token from the Azure Instance Metadata Service (IMDS) 从 Azure 实例元数据服务 (IMDS) 获取访问令牌
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.