I'm trying to setup Azure AD 'Enterprise Application' to access google cloud from myapps.microsoft.com for both identity and access.
I set up workload identity federation as described in https://cloud.google.com/iam/docs/configuring-workload-identity-federation#azure , however authentication is not working fine with below error.
gcloud auth login --cred-file="/Users/pavan-mac/Downloads/clientLibraryConfig-aad-oidc.json"
ERROR: gcloud crashed (TransportError): HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fiam.googleapis.com%2Fprojects%<removed>%2Flocations%2Fglobal%2FworkloadIdentityPools%2Faad-integration%2Fproviders%2Faad-oidc (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7feb69c80a10>: Failed to establish a new connection: [Errno 60] Operation timed out'))
2 questions:
Since you are using the CLI outside of an Azure Virtual Machine you do not have access to an Azure Managed Identity. That is the reason for the error regarding the metadata server 169.254.169.254//metadata/identity/oauth2/token
One of the requirements/options for Workload Identity Federation is to create or assign a managed identity to the resource you are running the Google Cloud CLI on.
Preparing the external identity provider
To let an application obtain access tokens for the Azure AD application, you can use managed identities
In this Google document a trick is demonstrated that requires you to fetch an Access Token yourself from the Azure instance metadata service and paste that into the assertion. I have not tried that technique but would mean everytime the token expires you would need to repeat the process.
curl \
"http://169.254.169.254/metadata/identity/oauth2/token?resource=APP_ID_URI&api-version=2018-02-01" \
-H "Metadata: true" | jq -r .access_token
Obtain an access token from the Azure Instance Metadata Service (IMDS)
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.