-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
azcopy login doesn't support AAD auth flow with federated credentials #2112
Comments
Hi @starkmsu Thank you for this feedback. Currently AzCopy supports DeviceCode, MSI, SPN (with secret and certificate) credentials only within AAD. For now I will mark this item as a feature request to appropriately prioritize within in our backlog. |
Could you please share further information on how you set up the federated identity? It looks like there are 4 workflows in the resource you shared. |
I'd like to add my voice to this, being unable to work with federated credentials is causing real headaches for the government department I work for. If you could enable this it would be a great assistance to us. |
I have several pipelines in GitHub Actions, and I'm currently utilising managed identity with federated credentials to access Azure resources via Azure CLI. However, I've encountered an issue where I am unable to use AzCopy in the same manner. I kindly request that you consider adding support federated credentials in AzCopy as soon as possible. This feature would greatly enhance my workflow and allow for seamless and secure integration. Thank you for your attention to this matter. |
We vote on this issue. We are working on replacing AAD pod identity (already deprecated) with AAD workload identity (successor) in our AKS clusters. Most of the workloads in our AKS clusters have been successfully migrated to AAD workload identity, except AzCopy. It is funny as this Microsoft official tool is the last remaining component we cannot migrate to AAD workload identity. Since AzCopy has yet to support AAD workload identity, there is no way to use AzCopy with managed identities in AKS clusters (except using a proxy sidecar, which Microsoft does not recommend for production purposes). |
We're also looking to use AAD workload identity in our AKS cluster, for enhance security and reduce operation burden. But we're also blocked by not able to authenticate using workload identity through azcopy. |
@gapra-msft |
Hi all, AzCopy now supports login through azcli login and powershell login which should mitigate customers that need to login with federated credentials. Please see here for more details. |
@gapra-msft When Microsoft decommissioned the pod identity and replaced it with a new AAD workload identity, other tools, including Azure SDK, added support for the workload identity. This addition was largely transparent and worked with the workload identity by simply upgrading the tools in most cases. As far as I know, azcopy is the only tool asking to use AzureCli login to use the workload identity. But we should remember that AzureCli is a massive component comprising more than 50k files whose total size is more than 1.2GB (uncompressed, including Python runtime). We needed only a single binary of azcopy to use it with the old pod identity. But do we need one azcopy binary plus 1.2GB, +50K files to use the workload identity? This addition of files will significantly increase pod image sizes, leading to the pod start's slowness. Please consider the native support of the workload identity in azcopy. |
@gapra-msft AAD Workload Identity is a solution for using Azure Managed Identity in Kubernetes clusters. Token federation is a technology behind used in AAD Workload Identity. Thanks to environment variables automatically set by AAD Workload Identity integration in Kubernetes, we can authorize managed identity in pods with much fewer parameters (in general, all required parameters are injected as env variables and automatically taken by azure-identity library). To avoid confusion between authorization using AAD Workload Identity and one using federated tokens, I created a feature request for support of the former one as #2545. |
Hi everyone, it looks like there are a few issues tracking the same work item. We are tracking adding support to AzCopy for workload identity here. Please subscribe to that issue for updates. |
Which version of the AzCopy was used?
All versions
Which platform are you using? (ex: Windows, Mac, Linux)
Windows, but this is applicable to all platforms
What command did you run?
azcopy login
What problem was encountered?
azcopy login doesn't support AAD auth flow with federated credentials (see - https://azure.github.io/azure-workload-identity/docs/topics/federated-identity-credential.html#:~:text=Federated%20identity%20credential%20for%20an%20Azure%20AD%20application,8%20Specify%20the%20Service%20account%20name.%20More%20items)
How can we reproduce the problem in the simplest way?
Try to pass federated credentials to 'azcopy login' command
Have you found a mitigation/solution?
No
The text was updated successfully, but these errors were encountered: