You are viewing a plain text version of this content. The canonical link for it is here.
Posted to github@arrow.apache.org by "sugibuchi (via GitHub)" <gi...@apache.org> on 2023/04/18 18:31:11 UTC
[GitHub] [arrow-rs] sugibuchi commented on issue #4096: ImdsManagedIdentityOAuthProvider should send resource ID instead of OIDC scope
sugibuchi commented on issue #4096:
URL: https://github.com/apache/arrow-rs/issues/4096#issuecomment-1513623719
@tustvold
It might work with `.default` in some environments (we are using [AAD Pod Identity](https://learn.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity) in AKS, which is an emulation of IMDS in Kuberentes cluster. This is probably a reason why we are seeing different results).
But the documentation clearly says that a value of `resource` should be "App ID URI of the target **resource**", not scope.
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
Managed Identity credential class in Azure Java SDK accepts resource ID as configuration parameter.
https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/src/main/java/com/azure/identity/ManagedIdentityCredentialBuilder.java#L83
And an equivalent class in Azure Python SDK explicitly drops `.default` from query parameter values.
https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/azure/identity/_internal/managed_identity_client.py#L112
https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/azure/identity/_internal/__init__.py#L19-L29
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org
For queries about this service, please contact Infrastructure at:
users@infra.apache.org