-
Notifications
You must be signed in to change notification settings - Fork 95
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AADSTS700211 invalid_client #1200
Comments
+1 |
Have you looked at the troubleshooting guide: https://azure.github.io/azure-workload-identity/docs/troubleshooting.html#aadsts70021-no-matching-federated-identity-record-found-for-presented-assertion? Check exact match for following in the Azure AD App:
|
@aramase Yep, all the data in Azure AD App has the right values (issuer URL, service account, namespace). |
Having the same issue. I am trying the following docs: The result is the same error. I can see the resources on azure-portal but I am not sure what the problem is. |
having the same issue with flux addon and workload identity on AKS |
I ran into the same error message (without using the |
I had the same issue; restarting the keda-controller fixed the issue. |
same issue here. any luck? Issuer URL (with the trailing slash), subject and audience all look good. Still hitting this error |
adding correlation IDs if that helps for debuggin on your side Content: {"error":"invalid_client","error_description":"AADSTS700211: No matching federated identity record found for presented assertion issuer 'https://eastus2.oic.prod-aks.azure.com/7******************/c*****************/'. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation Trace ID: 93eb6af6-43b5-4b16-ad6e-63cf2a050b00 Correlation ID: 8f043819-8577-46b9-b330-a72e2e114665 Timestamp: 2024-03-01 07:41:07Z","error_codes":[700211],"timestamp":"2024-03-01 07:41:07Z","trace_id":"93eb6af6-43b5-4b16-ad6e-63cf2a050b00","correlation_id":"8f043819-8577-46b9-b330-a72e2e114665"} |
This works if I use user-assigned managed identity only and not with an AAD app. Is this communicated anywhere? I just created a user-assigned managed identity and add a federated credential to that MI and was able to get a credential. No more errors. In fact I was able to access the target azure resource as well (KV in my case) |
We are encountering the same issue as the original poster. I have validated the federated credential against the JWT token mounted to the pods and everything seems to match. Any updates? {
"aud": [
"api://AzureADTokenExchange"
],
"exp": 1710782177,
"iat": 1710778577,
"iss": "https://eastus2.oic.prod-aks.azure.com/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/",
"kubernetes.io": {
"namespace": "my-namespace",
"pod": {
"name": "test-pod",
"uid": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
},
"serviceaccount": {
"name": "my-service-account",
"uid": "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
}
},
"nbf": 1710778577,
"sub": "system:serviceaccount:my-namespace:my-service-account"
} |
I was also having this same problem. It took me longer than I care to admit to realize that I had a trailing Once I fixed that, everything was working well. @aramase - wondering if these other issues might be a similar issue in either the issuer or subject identifier section... do we have a contact on the identity team who could verify if/why they even accept newlines in these fields? It seems like a bit of a foot-gun. |
Have started a thread internally to discuss catching such errors as part of API validation. I'll update this thread once we hear back from the Entra team. |
This has been a complete time suck trying to figure out what the issue was here and happy to have landed on this post with the appropriate search terms. As stated above, there is a problem with line endings. In my situation, I get my OIDC Issuer from the following command: az aks show --name "${CLUSTER_NAME}" \
--resource-group "${RESOURCE_GROUP}" \
--query "oidcIssuerProfile.issuerUrl" \
--output tsv The above output is stored as a variable and then used in the command to create the federated credential: az identity federated-credential create --name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} \
--identity-name "${USER_ASSIGNED_IDENTITY_NAME}" \
--resource-group "${RESOURCE_GROUP}" \
--issuer "${AKS_OIDC_ISSUER}" \
--subject "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}" \
--audience api://AzureADTokenExchange The output from creating the federated credential shows a line ending: {
"audiences": [
"api://AzureADTokenExchange"
],
"id": "<FIC_RESOURCE_ID>",
"issuer": "https://westus3.oic.prod-aks.azure.com/aaaaaaaa-86f1-41af-91ab-aaaaaaaaaaaa/bbbbbbbb-0443-47ec-b4c5-bbbbbbbbbbbb/\r",
"name": "<FIC_NAME>",
"resourceGroup": "<RESOURCE_GROUP>",
"subject": "system:serviceaccount:default:workload-identity-sa",
"systemData": null,
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
} Edit Ref: https://stackoverflow.com/questions/19345872/how-to-remove-a-newline-from-a-string-in-bash |
One more victim of the trailing |
Describe the bug
I'm getting the error
AADSTS700211: WorkloadIdentityCredential: Microsoft Entra ID error '(invalid_client) AADSTS700211: No matching federated identity record found for presented assertion issuer 'https://oidc.prod-aks.azure.com/879-...-a6425/'. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation Trace ID: REDACTED Correlation ID: REDACTED Timestamp: 2023-12-08 16:17:27Z'
Steps To Reproduce
Deploy Workload Identity v1.2.0 inside an AKS cluster v1.27.7
Create an AAD Service Principal and a k8s service account using the azwi cli:
Create a pod associating the SA and with a label
azure.workload.identity/use: "true"
Trying to authenticate and get a Key Vault secret using Python 3.10 with
DefaultAzureCredential()
, usingazure-identity==1.15.0
libExpected behavior
Get the secret value.
Logs
WorkloadIdentityCredential: Microsoft Entra ID error '(invalid_client) AADSTS700211: No matching federated identity record found for presented assertion issuer 'https://oidc.prod-aks.azure.com/879-...-6425/'. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation Trace ID: REDACTED Correlation ID: REDACTED Timestamp: 2023-12-08 16:55:37Z'
Environment
kubectl version
): AKS 1.27.7cat /etc/os-release
): Ubuntu 20.04.6 LTSuname -a
): 5.15.0-1051-azure fix: use request namespace for service account #59-Ubuntu SMP Wed Oct 11 18:49:16 UTC 2023 x86_64 x86_64 x86_64 GNU/LinuxAdditional context
AAD Service Principal is created without problems:
OIDC: az aks show -n $AKS_NAME -g $AKS_RG --query "oidcIssuerProfile.issuerUrl" -otsv
https://oidc.prod-aks.azure.com/879-...-a6425/
On AAD App Registration I can see all the values populated correctly (issuer, namespace, service account name).
The text was updated successfully, but these errors were encountered: