Release of MSI version 2022-01-31-preview

[isolenov]

Related command

az identity

Resource Provider

Microsoft.ManagedIdentity

Description of Feature or Work Requested

MSI has added a new resource Federated Identity Credentials (FIC) as a sub-resource of existing User Assigned Identities "userAssignedIdentities/federatedIdentityCredentials"

CLI is expected to provide CRUD operation for the given sub-resource. Take a look Request example.

high-level documentation: https://aka.ms/ami/wif/docs

FIC object looks like this:

{
        "issuer": "https://oidc.prod-aks.azure.com/IssuerGUID",
        "subject": "system:serviceaccount:ns:svcaccount",
        "audiences": ["api://AzureADTokenExchange"],
}

In AAD context Audiences array is supposed to have exactly one element in most of the cases.
Is it possible to make "audiences": ["api://AzureADTokenExchange"] a default value with the ability to override?

Minimum API Version Required

2022-01-31-preview

Swagger PR link

Azure/azure-rest-api-specs#19548

Request Example

Existing command to create managed identity

az identity create --name $uaId --resource-group $rg --location $location --subscription $subscription

then this managed identity can be used for FIC CRUD operations below. Those 4 operations are expected to become available in CLI.

create/update FIC

az rest --method put `
--url "/subscriptions/$subscription/resourceGroups/$rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$uaId/federatedIdentityCredentials/$ficId?api-version=2022-01-31-PREVIEW" `
--headers "Content-Type=application/json" `
--body "{'properties': { 'issuer': 'https://kubernetes-oauth.azure.com/', 'subject': 'system:serviceaccount:ns:svcaccount', 'audiences': ['api://AzureADTokenExchange'] }}"

read FIC

az rest --method get --url "/subscriptions/$subscription/resourceGroups/$rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$uaId/federatedIdentityCredentials/$ficId?api-version=2022-01-31-PREVIEW"

read all FICs associated with the user-assigned identity

supports paging

az rest --method get --url "/subscriptions/$subscription/resourceGroups/$rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$uaId/federatedIdentityCredentials?api-version=2022-01-31-PREVIEW"

delete fic

az rest --method delete --url "/subscriptions/$subscription/resourceGroups/$rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/$uaId/federatedIdentityCredentials/$ficId?api-version=2022-01-31-PREVIEW"

Target Date

July

Additional context

pypi link: https://pypi.org/project/azure-mgmt-msi/6.1.0/
Given API version "2022-01-31-PREVIEW" is available in public cloud, mooncake, fairfax, but not air-gapped clouds

[yonzhan]

@zhoxing for awareness

[isolenov]

Hey, @yonzhan please advise what is the timeline for this request?

[zhoxing-ms]

@isolenov Since the work of this sprint is fully scheduled, so we may not have enough time to develop this requirement in this sprint. We plan to release this feature in the next sprint (09-06). May I ask does this time meet your expectations?

[isolenov]

@zhoxing-ms thanks for update. it would be great to have some kind of internal preview version before this date to make sure it looks like expected