I'm working on a demo to demonstrate Azure AD workload identity federation with SPIFFE and SPIRE. Following this blog. All the steps worked except the verification step. In the verification step - it is supposed to fetch JWT toke exchange for AD Token and use this token to get Azure Blob. It is failing with:
There is a endpoint to fetch the token, this appears to work as expected. I have masked the token returned in the below output.
$ curl -XGET 20.83.89.207:80/exchanged
{"token":"eyJ0sdfsdfsdfsdfsdfsdfsdfig","expiresOnTimestamp":1678485060000}
When I issue below command to fetch the blob, it fails with AuthorizationPermissionMismatch:
$ curl -XGET <workload svc ip>/<storage container>/<blob name>
error:
"details":{"errorCode":"AuthorizationPermissionMismatch","content-length":"279","content-type":"application/xml","date":"Mon, 06 Mar 2023 15:40:45 GMT","server":"Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0","x-ms-client-request-id":"1d2cbecb-09b2-4395-93ee-918136ee2fbe","x-ms-request-id":"cf2283f1-d01e-003f-4642-5077a4000000","x-ms-version":"2021-10-04","message":"This request is not authorized to perform this operation using this permission.\nRequestId:cf2283f1-d01e-003f-4642-5077a4000000\nTime:2023-03-06T15:40:46.3857513Z","code":"AuthorizationPermissionMismatch"}}
I have the Azure Storage account with following roles assigned to my principal: Contributor, Storage Blob Delegator, Storage Blob Data Contributor, Storage Blob Data Reader and Storage Queue Data Contributor, Storage Blob Data Owner, Owner and a bunch of other roles.
I'm not sure what I'm missing.
I tried adding different roles listed above.