-
Notifications
You must be signed in to change notification settings - Fork 11
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Allow clientId and tenantId hint when using workload identity #100
Conversation
|
@asimpson @bossinc @aangelisc @alyssabull Can we get someone to review this? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@aangelisc As far as I know, this is already usable when using the new format with The question is if this should be supported with the |
Did you consider security implications? My concern that this may give ability to probe other identities in the Kubernetes cluster even if they aren't supposed to be used by Grafana and belong to other services hosted in the same cluster. For this reason TenatID and ClientID were added to Grafana config (here), so they are not accessible by user. |
@kostrse I did. Security is actually the main driver for this. We have different teams that use the Azure Monitor datasource. We want to manage the datasources for them to restrict the scope and subscriptions that the datasource has access to, so each of them should use a separate Probing for other managed identities would not work since the |
@nilfr ideally the data sources would need to be updated to provide the client ID and tenant ID of the identity via the UI to make this functionality more accessible (otherwise it will only be usable via provisioned data sources). @kostrse this functionality looks good to me and I'm happy to add this to the SDK if you see no issues with it. |
Signed-off-by: Nicklas Frahm <nilfr@vestas.com>
@aangelisc I have updated the branch to be up-to-date with I can look into submitting a PR for the UI once this is merged. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the contribution @nilfr!
Apologies for this falling through the cracks! I've merged main to allow me to merge this |
@aangelisc Anything I can do to help get a tag and a release for this, so that we can add this to |
Hi @nilfr! There are a couple things I'm trying to get merged and then I'll cut a new release (hopefully this week). |
Hi @nilfr, apologies for the delay, I've published a new version of the SDK now 😊 Thanks again! |
Workload identity supports the usage of multiple identities in the same pod. This PR attempts to add support for it.
We need to evaluate if we would like to also backport this to the
legacyCredentials
.