我正在尝试设置Azure AD"企业应用程序",以便从myapps.microsoft.com访问谷歌云以进行身份和访问。
我设置了工作负载标识联合,如中所述https://cloud.google.com/iam/docs/configuring-workload-identity-federation#azure,但是身份验证工作不正常,出现以下错误。
gcloud auth login --cred-file="/Users/pavan-mac/Downloads/clientLibraryConfig-aad-oidc.json"
ERROR: gcloud crashed (TransportError): HTTPConnectionPool(host='169.254.169.254', port=80): Max retries exceeded with url: /metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fiam.googleapis.com%2Fprojects%<removed>%2Flocations%2Fglobal%2FworkloadIdentityPools%2Faad-integration%2Fproviders%2Faad-oidc (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7feb69c80a10>: Failed to establish a new connection: [Errno 60] Operation timed out'))
我的命令:
➜ ~ gcloud iam workload-identity-pools create "azure-ad-integration" --location="global" --description="azure-ad-integration" --display-name="azure-ad-integration"
Created workload identity pool [azure-ad-integration].
➜ ~ gcloud iam workload-identity-pools providers create-oidc azure-ad-oidc-provider --location="global" --workload-identity-pool="azure-ad-integration" --issuer-uri="sts.windows.net/<removed-tenant-id>" --allowed-audiences="api://<removed-app-id-uri>" --attribute-mapping="google.subject=assertion.sub,google.groups=assertion.groups"
Created workload identity pool provider [azure-ad-oidc-provider].
➜ ~ gcloud iam service-accounts add-iam-policy-binding <removed-svc-account> --role roles/iam.workloadIdentityUser --member "principalSet://iam.googleapis.com/projects/<removed-project-number>/locations/global/workloadIdentityPools/azure-ad-integration/*"
Updated IAM policy for serviceAccount [<service-acocunt>@<project>.iam.gserviceaccount.com]. bindings:
- members:
- principalSet://iam.googleapis.com/projects/<removed-project-number>/locations/global/workloadIdentityPools/azure-ad-integration/* role: roles/iam.workloadIdentityUser etag: BwXTqFEUIVo=
➜ ~ gcloud iam workload-identity-pools create-cred-config projects/<removed-project-num>/locations/global/workloadIdentityPools/azure-ad-integration/providers/azure-ad-oidc-provider --service-account='<service-account>@<project>.gserviceaccount.com' --azure --app-id-uri 'api://<app-id-uri>' --output-file=FILEPATH.json
Created credential configuration file [FILEPATH.json].
➜ ~ gcloud version
Google Cloud SDK 367.0.0
bq 2.0.72
core 2021.12.10
gsutil 5.5
➜ ~
2个问题:
- 我怀疑问题出在属性映射上。使用Azure AD OIDC提供程序时,指定属性的理想配置是什么
- 我希望能够使用GCP中的工作负载联盟功能,在Azure AD企业应用程序中为用户/组分配谷歌云中映射的角色(例如,所有者/编辑/查看者角色(。有人能帮我理解如何将GCP中从azure广告到服务帐户的角色与正确的属性映射联系起来吗
由于您在Azure虚拟机之外使用CLI,因此您无权访问Azure托管身份。这就是有关元数据服务器的错误的原因169.254.169.254//metadata/identity/oauth2/token
Workload Identity Federation的要求/选项之一是为正在运行Google Cloud CLI的资源创建或分配托管标识。
准备外部身份提供商
让应用程序获得Azure AD的访问令牌应用程序,您可以使用托管身份
在这篇谷歌文档中,演示了一个技巧,要求您自己从Azure实例元数据服务中获取访问令牌,并将其粘贴到断言中。我没有尝试过这种技术,但这意味着每次代币到期时,你都需要重复这个过程。
curl
"http://169.254.169.254/metadata/identity/oauth2/token?resource=APP_ID_URI&api-version=2018-02-01"
-H "Metadata: true" | jq -r .access_token
从Azure实例元数据服务(IMDS(获取访问令牌