diff --git a/pkg/cloudprovider/providers/azure/auth/azure_auth.go b/pkg/cloudprovider/providers/azure/auth/azure_auth.go index a2760fbcd14..08f894d7216 100644 --- a/pkg/cloudprovider/providers/azure/auth/azure_auth.go +++ b/pkg/cloudprovider/providers/azure/auth/azure_auth.go @@ -44,28 +44,39 @@ type AzureAuthConfig struct { AADClientCertPassword string `json:"aadClientCertPassword" yaml:"aadClientCertPassword"` // Use managed service identity for the virtual machine to access Azure ARM APIs UseManagedIdentityExtension bool `json:"useManagedIdentityExtension" yaml:"useManagedIdentityExtension"` + // UserAssignedIdentityID contains the Client ID of the user assigned MSI which is assigned to the underlying VMs. If empty the user assigned identity is not used. + // More details of the user assigned identity can be found at: https://docs.microsoft.com/en-us/azure/active-directory/managed-service-identity/overview + // For the user assigned identity specified here to be used, the UseManagedIdentityExtension has to be set to true. + UserAssignedIdentityID string `json:"userAssignedIdentityID" yaml:"userAssignedIdentityID"` // The ID of the Azure Subscription that the cluster is deployed in SubscriptionID string `json:"subscriptionId" yaml:"subscriptionId"` } // GetServicePrincipalToken creates a new service principal token based on the configuration func GetServicePrincipalToken(config *AzureAuthConfig, env *azure.Environment) (*adal.ServicePrincipalToken, error) { - oauthConfig, err := adal.NewOAuthConfig(env.ActiveDirectoryEndpoint, config.TenantID) - if err != nil { - return nil, fmt.Errorf("creating the OAuth config: %v", err) - } - if config.UseManagedIdentityExtension { glog.V(2).Infoln("azure: using managed identity extension to retrieve access token") msiEndpoint, err := adal.GetMSIVMEndpoint() if err != nil { return nil, fmt.Errorf("Getting the managed service identity endpoint: %v", err) } + if len(config.UserAssignedIdentityID) > 0 { + glog.V(4).Info("azure: using User Assigned MSI ID to retrieve access token") + return adal.NewServicePrincipalTokenFromMSIWithUserAssignedID(msiEndpoint, + env.ServiceManagementEndpoint, + config.UserAssignedIdentityID) + } + glog.V(4).Info("azure: using System Assigned MSI to retrieve access token") return adal.NewServicePrincipalTokenFromMSI( msiEndpoint, env.ServiceManagementEndpoint) } + oauthConfig, err := adal.NewOAuthConfig(env.ActiveDirectoryEndpoint, config.TenantID) + if err != nil { + return nil, fmt.Errorf("creating the OAuth config: %v", err) + } + if len(config.AADClientSecret) > 0 { glog.V(2).Infoln("azure: using client_id+client_secret to retrieve access token") return adal.NewServicePrincipalToken(