You are viewing a plain text version of this content. The canonical link for it is here.

Posted to github@arrow.apache.org by "sugibuchi (via GitHub)" <gi...@apache.org> on 2023/04/18 18:31:11 UTC

[GitHub] [arrow-rs] sugibuchi commented on issue #4096: ImdsManagedIdentityOAuthProvider should send resource ID instead of OIDC scope

sugibuchi commented on issue #4096:
URL: https://github.com/apache/arrow-rs/issues/4096#issuecomment-1513623719

   @tustvold 
   It might work with `.default` in some environments (we are using [AAD Pod Identity](https://learn.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity) in AKS, which is an emulation of IMDS in Kuberentes cluster. This is probably a reason why we are seeing different results).
   
   But the documentation clearly says that a value of `resource` should be "App ID URI of the target **resource**", not scope.
   
   https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/how-to-use-vm-token#get-a-token-using-http
   
   Managed Identity credential class in Azure Java SDK accepts resource ID as configuration parameter.
   
   https://github.com/Azure/azure-sdk-for-java/blob/main/sdk/identity/azure-identity/src/main/java/com/azure/identity/ManagedIdentityCredentialBuilder.java#L83
   
   And an equivalent class in Azure Python SDK explicitly drops `.default` from query parameter values.
   
   https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/azure/identity/_internal/managed_identity_client.py#L112
   https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/azure/identity/_internal/__init__.py#L19-L29


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: github-unsubscribe@arrow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org