Comments (7)
The root of the problem seems to be caused by the fact that Teleport isn't setting the Cloud when creating azure clients. This means it will always default to AzurePublic
. I imagine the same error would occur if any one tried to deploy in either AzureGovernment
or AzureChina
.
See Azure/azure-sdk-for-go#21807 for more details.
from teleport.
@AntonAM Hi Anton, can you please provide any update on this? We are currectly blocked by this to roll out our solution on Azure China environments.
from teleport.
@waleed-cariad can you try running discovery service with environment variable AZURE_AUTHORITY_HOST : https://login.chinacloudapi.cn/
. Also, can you provide teleport logs with a bit of context (a few lines before the error and a few line after error, also with the line numbers and file information if present in the logs).
from teleport.
@AntonAM I have attached a log file named teleport_discovery_logs
for your reference. This is everything we see after running discovery service, please refer to line 85
starting with ManagedIdentityCredential: failed to authenticate a system assigned identity.
About running discovery service with environment variable AZURE_AUTHORITY_HOST, I think this will work only when we use EnvironmentCredential for authentication but we are not using them at all and we don't want to as we want to rely on Azure API to handle all authentications using Managed Identities
teleport_discovery_logs.json
P.S: it still doesn't work though if we set environment variables for AZURE_AUTHORITY_HOST
and AZURE_TENANT_ID
from teleport.
Just to add, as mentioned here on Azure Docs, we are successfully able to get an access token by manually running the following on that Azure VM where Teleport Process is running with the VM being assigned a Managed Identity curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://management.core.chinacloudapi.cn/'
.
By replacing the resource in above request from https://management.core.chinacloudapi.cn/
to https://management.core.windows.net/
, we got the following obvious error:
{"error":"invalid_resource","error_description":"AADSTS500011: The resource principal named https://management.core.windows.net/ was not found in the tenant named VGC. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: a97993dd-1433-4a06-b322-204bb9f42e00 Correlation ID: 2646efeb-ae3b-43f6-83e9-a4a372af9b87 Timestamp: 2024-02-20 09:17:14Z","error_codes":[500011],"timestamp":"2024-02-20 09:17:14Z","trace_id":"a97993dd-1433-4a06-b322-204bb9f42e00","correlation_id":"2646efeb-ae3b-43f6-83e9-a4a372af9b87","error_uri":"https://chinanorth2.login.partner.microsoftonline.cn/error?code=500011"}
This is the same as we are seeing in Teleport Logs when trying to run Teleport Processes to use Azure Managed identity of that VM where Teleport is deployed. Hope that helps.
I guess you still don't support Azure China as mentioned here on line 88 ?
from teleport.
@AntonAM @rosstimothy Can you please let us know any timeline for this to be fixed? As I mentioned, we are blocked by this to roll-out our solution to China and we can't just do it in Europe only as that does not help us to keep our Architecture replicated in all regions. Also, we are in the process of buying Teleport licence hopefully but we need to make sure first that we can use teleport both in Europe and in China. Can you please help to fix this issue else we will be completely stuck by this.
from teleport.
Hi @waleed-cariad, this issue is not currently under active development. If you are a Teleport Enterprise customer (or in the process of becoming one) I would encourage you to raise this with your account rep. They'll be able to start some conversations internally that will help us determine when we can schedule this work.
from teleport.
Related Issues (20)
- Make SAML SP RBAC granular
- Add support for MFA Challenge requirements for SSO users
- User cannot use or log out of web UI after enabling `pin_source_ip`
- Kubernetes Discover wizard is not able to validate connectivity when IP pinning is enabled
- AWS Console guide results in error
- Automatic node install wizard is not able to validate connectivity when IP pinning is enabled
- Simplify common configuration for k8s app auto-discovery
- Configurable `public_addr` for auto-discovered apps
- List possible values of `tctl get` HOT 1
- Ensure download URLs and package names are consistent across the docs
- Email Access Request Plugin Support for Teleport Enterprise Cloud HOT 1
- Use JoinScript for DiscoveryService for self-hosted Discovery wizard
- Discover Wizard: use an already existing DiscoveryService instead of asking user to run one
- Event Exporter guides for Machine ID configure RBAC incorrectly
- Provide a delegated joining method for OCI HOT 1
- `regexp.replace` Fails with Curly Brackets in Teleport Role Interpolation HOT 2
- Usage report event (T2006I) is missing session ID HOT 2
- Allow configurable teleport package repo name HOT 1
- SSO user's Teleport MFA can only be reset after they login
- helm chart not considering place kube cluster domain HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from teleport.