Do AKS support oidc token generated for azureAD config?

[ashu8912]

I wanted to know if I have an oidc token generated for azure AD config using the go-oidc package will that work with accessing an AKS cluster that has the azure AD config enabled??

What happened:
I took an oidc token generated using go-oidc package and requested on the resources on AKS cluster but it doesn't seem to work, I get a 401 unauthorized errror

How to reproduce it (as minimally and precisely as possible):
Create a cluster with azure AD enabled, register an application on azureAD and use the endpoints to get a oidc token(using go-oidc package) use the token to access the cluster resources.
Note: I already have a clusterrole and clusterrolebinding that allows the azureAD group to access the resources. I also have RBAC enabled on my cluster.
Environment:

• Kubernetes version (use kubectl version): Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.6", GitCommit:"ad3338546da947756e8a88aa6822e9c11e7eac22", GitTreeState:"clean", BuildDate:"2022-04-14T08:49:13Z", GoVersion:"go1.17.9", Compiler:"gc", Platform:"linux/amd64"}
• Size of cluster (how many worker nodes are in the cluster?) 1

[ghost]

Hi ashu8912, AKS bot here 👋
Thank you for posting on the AKS Repo, I'll do my best to get a kind human from the AKS team to assist you.

I might be just a bot, but I'm told my suggestions are normally quite good, as such:

1. If this case is urgent, please open a Support Request so that our 24/7 support team may help you faster.
2. Please abide by the AKS repo Guidelines and Code of Conduct.
3. If you're having an issue, could it be described on the AKS Troubleshooting guides or AKS Diagnostics?
4. Make sure your subscribed to the AKS Release Notes to keep up to date with all that's new on AKS.
5. Make sure there isn't a duplicate of this issue already reported. If there is, feel free to close this one and '+1' the existing issue.
6. If you have a question, do take a look at our AKS FAQ. We place the most common ones there!

[ghost]

Triage required from @Azure/aks-pm

[CocoWang-wql]

Hello @ashu8912, currently AKS cluster does not support go-oidc. We have a feature named "External Identity Provider" and it's in plan: #2861

[ashu8912]

Hey @CocoWang-wql thank you for your answer one small question what if i use the access token generated from oauth flow will that work?? Also i tried a msal generated token as well and used it to access the aks cluster which has azure ad and kubernetes RBAC enabled but it too didn't worked.

[ashu8912]

Also @CocoWang-wql what do you mean by when you say AKS doesn't supports go-oidc does it mean if i take a azureAD app config and generate a access token via go-oidc that will not work??

[miwithro]

@ashu8912 we are working on adding in OIDC capabilities into AKS and Azure AD. Have a look at https://azure.github.io/azure-workload-identity/docs/ this is a project that leverages "Service Account Token Volume Projection" and "OIDC Issuer" to issue a token to a pod to access Azure resources. It is based on App Registration today, but we are adding in Managed Identity support very soon.

[ashu8912]

thanks @miwithro, can i test this project with my AKS cluster??

[miwithro]

@ashu8912 of course

[ashu8912]

Thanks @miwithro I will try setting up the oidc issuer on my cluster and see if it works for me.

[ghost]

Thanks for reaching out. I'm closing this issue as it was marked with "Answer Provided" and it hasn't had activity for 2 days.