AADSTS700211 invalid_client #1200
Comments
|
+1 |
|
Have you looked at the troubleshooting guide: https://azure.github.io/azure-workload-identity/docs/troubleshooting.html#aadsts70021-no-matching-federated-identity-record-found-for-presented-assertion? Check exact match for following in the Azure AD App:
|
|
@aramase Yep, all the data in Azure AD App has the right values (issuer URL, service account, namespace). Azure AAD App: Service account: |
|
Having the same issue. I am trying the following docs: The result is the same error. I can see the resources on azure-portal but I am not sure what the problem is. |
|
having the same issue with flux addon and workload identity on AKS |
|
I ran into the same error message (without using the |
|
I had the same issue; restarting the keda-controller fixed the issue. |
|
same issue here. any luck? Issuer URL (with the trailing slash), subject and audience all look good. Still hitting this error |
|
adding correlation IDs if that helps for debuggin on your side Content: {"error":"invalid_client","error_description":"AADSTS700211: No matching federated identity record found for presented assertion issuer 'https://eastus2.oic.prod-aks.azure.com/7******************/c*****************/'. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation Trace ID: 93eb6af6-43b5-4b16-ad6e-63cf2a050b00 Correlation ID: 8f043819-8577-46b9-b330-a72e2e114665 Timestamp: 2024-03-01 07:41:07Z","error_codes":[700211],"timestamp":"2024-03-01 07:41:07Z","trace_id":"93eb6af6-43b5-4b16-ad6e-63cf2a050b00","correlation_id":"8f043819-8577-46b9-b330-a72e2e114665"} |
|
This works if I use user-assigned managed identity only and not with an AAD app. Is this communicated anywhere? I just created a user-assigned managed identity and add a federated credential to that MI and was able to get a credential. No more errors. In fact I was able to access the target azure resource as well (KV in my case) |
|
We are encountering the same issue as the original poster. I have validated the federated credential against the JWT token mounted to the pods and everything seems to match. Any updates? {
"aud": [
"api://AzureADTokenExchange"
],
"exp": 1710782177,
"iat": 1710778577,
"iss": "https://eastus2.oic.prod-aks.azure.com/yyyyyyyy-yyyy-yyyy-yyyy-yyyyyyyyyyyy/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxx/",
"kubernetes.io": {
"namespace": "my-namespace",
"pod": {
"name": "test-pod",
"uid": "aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaaa"
},
"serviceaccount": {
"name": "my-service-account",
"uid": "bbbbbbbb-bbbb-bbbb-bbbb-bbbbbbbbbbbb"
}
},
"nbf": 1710778577,
"sub": "system:serviceaccount:my-namespace:my-service-account"
}
|
|
I was also having this same problem. It took me longer than I care to admit to realize that I had a trailing Once I fixed that, everything was working well. @aramase - wondering if these other issues might be a similar issue in either the issuer or subject identifier section... do we have a contact on the identity team who could verify if/why they even accept newlines in these fields? It seems like a bit of a foot-gun. |
Have started a thread internally to discuss catching such errors as part of API validation. I'll update this thread once we hear back from the Entra team. |
|
This has been a complete time suck trying to figure out what the issue was here and happy to have landed on this post with the appropriate search terms. As stated above, there is a problem with line endings. In my situation, I get my OIDC Issuer from the following command: az aks show --name "${CLUSTER_NAME}" \
--resource-group "${RESOURCE_GROUP}" \
--query "oidcIssuerProfile.issuerUrl" \
--output tsvThe above output is stored as a variable and then used in the command to create the federated credential: az identity federated-credential create --name ${FEDERATED_IDENTITY_CREDENTIAL_NAME} \
--identity-name "${USER_ASSIGNED_IDENTITY_NAME}" \
--resource-group "${RESOURCE_GROUP}" \
--issuer "${AKS_OIDC_ISSUER}" \
--subject "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}" \
--audience api://AzureADTokenExchangeThe output from creating the federated credential shows a line ending: {
"audiences": [
"api://AzureADTokenExchange"
],
"id": "<FIC_RESOURCE_ID>",
"issuer": "https://westus3.oic.prod-aks.azure.com/aaaaaaaa-86f1-41af-91ab-aaaaaaaaaaaa/bbbbbbbb-0443-47ec-b4c5-bbbbbbbbbbbb/\r",
"name": "<FIC_NAME>",
"resourceGroup": "<RESOURCE_GROUP>",
"subject": "system:serviceaccount:default:workload-identity-sa",
"systemData": null,
"type": "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials"
}Edit Ref: https://stackoverflow.com/questions/19345872/how-to-remove-a-newline-from-a-string-in-bash |
Describe the bug
I'm getting the error
AADSTS700211: WorkloadIdentityCredential: Microsoft Entra ID error '(invalid_client) AADSTS700211: No matching federated identity record found for presented assertion issuer 'https://oidc.prod-aks.azure.com/879-...-a6425/'. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation Trace ID: REDACTED Correlation ID: REDACTED Timestamp: 2023-12-08 16:17:27Z'Steps To Reproduce
Deploy Workload Identity v1.2.0 inside an AKS cluster v1.27.7
Create an AAD Service Principal and a k8s service account using the azwi cli:
Create a pod associating the SA and with a label
azure.workload.identity/use: "true"Trying to authenticate and get a Key Vault secret using Python 3.10 with
DefaultAzureCredential(), usingazure-identity==1.15.0libExpected behavior
Get the secret value.
Logs
WorkloadIdentityCredential: Microsoft Entra ID error '(invalid_client) AADSTS700211: No matching federated identity record found for presented assertion issuer 'https://oidc.prod-aks.azure.com/879-...-6425/'. Please check your federated identity credential Subject, Audience and Issuer against the presented assertion. https://docs.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation Trace ID: REDACTED Correlation ID: REDACTED Timestamp: 2023-12-08 16:55:37Z'
Environment
kubectl version): AKS 1.27.7cat /etc/os-release): Ubuntu 20.04.6 LTSuname -a): 5.15.0-1051-azure fix: use request namespace for service account #59-Ubuntu SMP Wed Oct 11 18:49:16 UTC 2023 x86_64 x86_64 x86_64 GNU/LinuxAdditional context
AAD Service Principal is created without problems:
Fri, 08 Dec 2023 13:11:16 -03 role-assignment workflow/runner.go:133 skipping phase Fri, 08 Dec 2023 13:11:20 -03 aad-application create/aadapplication.go:71 created an AAD application {"name": "$AAD_NAME", "clientID": "d861-...-7de", "objectID": "4e11-...-8eec"} Fri, 08 Dec 2023 13:11:20 -03 serviceaccount/create.go:175 --service-principal-name not specified, falling back to AAD application name {"warning": true} Fri, 08 Dec 2023 13:11:21 -03 aad-application create/aadapplication.go:95 created service principal {"name": "$AAD_NAME", "clientID": "d861-..-7de", "objectID": "9e0-..-9512"} Fri, 08 Dec 2023 13:11:22 -03 service-account create/serviceaccount.go:94 created kubernetes service account {"namespace": "$K8S_NAMESPACE", "name": "$K8S_SA_NAME"} Fri, 08 Dec 2023 13:11:24 -03 federated-identity create/federatedidentitycredential.go:96 added federated credential {"objectID": "4e11-...-8eec", "subject": "system:serviceaccount:$K8S_NAMESPACE:$K8S_SA_NAME"}OIDC: az aks show -n $AKS_NAME -g $AKS_RG --query "oidcIssuerProfile.issuerUrl" -otsv
https://oidc.prod-aks.azure.com/879-...-a6425/On AAD App Registration I can see all the values populated correctly (issuer, namespace, service account name).
The text was updated successfully, but these errors were encountered: