在单个订阅部署中使用federatedIdentityCredentials在Azure中部署AKS

kb5ga3dv  于 2023-05-29  发布在  其他
关注(0)|答案(1)|浏览(126)

一直在努力解决这个问题2天和多次查询使用ChatGPT,无济于事。基本上,我想写一个Azure ARM模板,部署3件事:
1.启用了oidc的“Microsoft.ContainerService/managedClusters”
1.“Microsoft.ManagedIdentity/userAssignedIdentities”
1.最后是2x“Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials”,这样我就可以获取oidc配置文件颁发者URL并将其提供给federatedIdentityCredentials的属性
ala类似于:
“issuer”:“[reference(resourceId('Microsoft.ContainerService/managedClusters',parameters('clusterName ')),'2021-03- 01').addonProfiles.aciConnectorLinux.config.customHeaders['Authorization'].Issuer]”
我的主要问题是:

  • 我第一次部署这个集群时,没有启用oidc配置文件,尽管我提供了“enableRBAC”:true和“oidcIssuerProfile”:{“enabled”:“true”}
  • 当我尝试使用azure cli时,show命令显示没有颁发者url。我不希望使用update命令来启用它,然后再安装联合凭证。

Azure arm模板是否有限制,在集群部署之前无法访问Issuer URL?

cs7cruho

cs7cruho1#

发行方URL在部署之后才可用。
我有一个sample,它显示了所有3个步骤,你正在尝试做,在第一阶段,我创建集群,创建后,我创建用户分配的id与美联储信用属性。

resource app1id 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = {
  name: 'id-app1'
  location: location
  
  resource fedCreds 'federatedIdentityCredentials' = {
    name: '${nameseed}-app1'
    properties: {
      audiences: aksconst.outputs.aksOidcFedIdentityProperties.audiences
      issuer: aksconst.outputs.aksOidcFedIdentityProperties.issuer
      subject: 'system:serviceaccount:app1:app1-workloadidapp1'
    }
  }
}
output idApp1ClientId string = app1id.properties.clientId
output idApp1Id string = app1id.id

请注意,我的样本是写在二头肌(其中a。提供了比ARM和B更好的创作体验。无论如何都编译为ARM)。
这就是ARM JSON的样子(我只是用bicep build myfile.bicep生成的)

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "metadata": {
    "_generator": {
      "name": "bicep",
      "version": "0.15.31.15270",
      "templateHash": "3913907296451853014"
    }
  },
  "parameters": {
    "location": {
      "type": "string",
      "defaultValue": "[resourceGroup().location]"
    },
    "nameseed": {
      "type": "string",
      "defaultValue": "myenv"
    }
  },
  "resources": [
    {
      "type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials",
      "apiVersion": "2022-01-31-preview",
      "name": "[format('{0}/{1}', 'id-app1', format('{0}-app1', parameters('nameseed')))]",
      "properties": {
        "audiences": [
          "api://AzureADTokenExchange"
        ],
        "issuer": "[reference(resourceId('Microsoft.ContainerService/managedClusters', 'aks'), '2023-03-02-preview').oidcIssuerProfile.issuerURL]",
        "subject": "system:serviceaccount:app1:app1-workloadidapp1"
      },
      "dependsOn": [
        "[resourceId('Microsoft.ContainerService/managedClusters', 'aks')]",
        "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'id-app1')]"
      ]
    },
    {
      "type": "Microsoft.ContainerService/managedClusters",
      "apiVersion": "2023-03-02-preview",
      "name": "aks",
      "location": "[parameters('location')]",
      "properties": {
        "enableRBAC": true,
        "networkProfile": {
          "networkPlugin": "azure"
        }
      }
    },
    {
      "type": "Microsoft.ManagedIdentity/userAssignedIdentities",
      "apiVersion": "2022-01-31-preview",
      "name": "id-app1",
      "location": "[parameters('location')]"
    }
  ],
  "outputs": {
    "idApp1ClientId": {
      "type": "string",
      "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'id-app1'), '2022-01-31-preview').clientId]"
    },
    "idApp1Id": {
      "type": "string",
      "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', 'id-app1')]"
    }
  }
}

相关问题