I am trying to run azure function in Azure Kubernetes Service(AKS) with eventhub trigger and workload identity. I was able to run the function successfully in AKS with managed identity, now I want to try workload identity with same function, I tried to find some documentation but could not find anything. I deployed the function with credentials as workloadidentity and checked the errors in pod logs to see what happens, I saw error saying "tenantId, clientId and tokenFilePath" is missing. I added environment variables like
EventHubConnection__clientId: ***
EventHubConnection__credential: workloadidentity
EventHubConnection__fullyQualifiedNamespace: ***
EventHubConnection__tenantId: ***
EventHubConnection__tokenFilePath: /var/run/secrets/azure/tokens/azure-identity-token
After that I saw error in logs saying /var/run/secrets/azure/tokens/azure-identity-token path not found. I checked in bash if this path exists but it did not, but I saw path /var/run/secrets/kubernetes.io/serviceaccount/token so I changed token file path to that.
After adding this I am getting this error.
StatusCode: 401
ResponseBody: {"error":"invalid_client","error_description":"AADSTS70023: External OIDC Provider token must have a lifetime of less than or equal to 1.01:00:00. Token issued at 1711596573. Token expires on 1743132573. Trace ID: **** Correlation ID: **** Timestamp: 2024-03-28 03:37:57Z","error_codes":[70023],"timestamp":"2024-03-28 03:37:57Z","trace_id":"****","correlation_id":"****","error_uri":"https://login.microsoftonline.com/error?code=70023"}
Deployment file has following
labels:
azure.workload.identity/use: "true"
and
spec:
serviceAccountName: <service-account-name>
I could not find any documentation that could help me on my journey.