stackoom
  简体   繁体   中英

google cloud IAM workload identity federation with azure ad 'app registration'/'enterprise applications'

 原文  2021-12-23 02:22:53       google-cloud-platform/ google-iam/ google-identity/ workload-identity

Question

I'm trying to setup Azure AD 'Enterprise Application' to access google cloud from myapps.microsoft.com for both identity and access.

I set up workload identity federation as described in https://cloud.google.com/iam/docs/configuring-workload-identity-federation#azure , however authentication is not working fine with below error.

gcloud auth login --cred-file="/Users/pavan-mac/Downloads/clientLibraryConfig-aad-oidc.json"       

ERROR: gcloud crashed (TransportError): HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fiam.googleapis.com%2Fprojects%<removed>%2Flocations%2Fglobal%2FworkloadIdentityPools%2Faad-integration%2Fproviders%2Faad-oidc (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7feb69c80a10>: Failed to establish a new connection: [Errno 60] Operation timed out'))

2 questions:

  1. I suspect the issue is around attribute mapping. What's the ideal config to specify attributes when using Azure AD OIDC provider?
  2. I would like to be able to assign users/groups in Azure AD enterprise application with mapped roles in google cloud (say, owner/editor/viewer roles) using workload federation feature in GCP. Can someone help me understand how to link the roles from azure ad to service account in GCP with correct attributes mapping?

1 answers

solution1
 0  2021-12-23 03:36:25

Since you are using the CLI outside of an Azure Virtual Machine you do not have access to an Azure Managed Identity. That is the reason for the error regarding the metadata server 169.254.169.254//metadata/identity/oauth2/token

One of the requirements/options for Workload Identity Federation is to create or assign a managed identity to the resource you are running the Google Cloud CLI on.

Preparing the external identity provider

To let an application obtain access tokens for the Azure AD application, you can use managed identities

In this Google document a trick is demonstrated that requires you to fetch an Access Token yourself from the Azure instance metadata service and paste that into the assertion. I have not tried that technique but would mean everytime the token expires you would need to repeat the process.

curl \
  "http://169.254.169.254/metadata/identity/oauth2/token?resource=APP_ID_URI&api-version=2018-02-01" \
  -H "Metadata: true" | jq -r .access_token

Obtain an access token from the Azure Instance Metadata Service (IMDS)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question GCP workload identity federation with Azure Authenticate Google-Cloud-Storage in Python using Workload Identity Federation GKE / Cloud IAM workload Identity setup error 403 Google Cloud Java SDK with Workload Identity? GKE workload identity pool VS workload identity pools from workload identity federation User or condition in common expression language for workload identity federation condition GCP workload identity federation - Github provider - 'Unable to acquire impersonated credentials' Python, Is there any way to login to google cloud identity that then connects through SAML to Azure AD? Gitlab connection to GCP Workload Identity Federation return invalid_grant Attribute mappings in configuring workload identity federation between GCP and GitHub
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM