Support single tenant azure configurations

[Inrixia]

#16 is great and works perfectly, but if the environment is single tenant then DefaultAzureCredential will fail to authenticate with a given client secret and id:

{"level":"fatal","caller":"azure-resourcemanager-exporter/main.go:147","msg":"DefaultAzureCredential: failed to aquire a token.\nAttempted credentials:\n\tClientSecretCredential: the authority doesn't support tenants"}

[Inrixia]

Any chance a fix or workaround for this is possible?

[mblaschke]

@Inrixia
sorry for my question, but what is a "single tenant environment"?

azure-resourcemanager-exporer is using https://github.com/Azure/azure-sdk-for-go so if it's supported with the SDK everything should be possible. this exporter is not using an own auth method, it fully relies on the azure sdk.

[Inrixia]

No problem, I'm unsure tbh, perhaps there is additional configuration needed that's missing but I tried using the cloud config approach in #16 and got as far as the given error with all fields properly filled out.

Using the node.js library for Auth using a ClientSecretCredential instead of a DefaultAzureCredential works but I had to manually specify the authority host (noted in #16) and disable host discovery.

Perhaps the issue is something to do with how DefaultAzureCredential tries to authenticate.

[Inrixia]

My assumption from the given error was that there is a issue with ad not accepting the authentication request. Potentially due to requiring custom scopes or something else, getting it working in node was finicky so I wouldn't be surprised if it's due to a similar issue I encountered.

I might try grabbing the source and seeing if using a different config/authentication method may get it to work.

I'll update if I make any progress, I doubt there is much you'd be able to do on your end without being able to test.

[mblaschke]

can you post your configuration? please ensure that uuid and secrets are masked

[Inrixia]

It's the same as #16 basically. Ill do some more tests in a few weeks when I get time and update with more info then.

[Inrixia]

So just did some more tests and am still getting this issue.

My docker compose looks like this:

services:
  azure-test:
    image: webdevops/azure-resourcemanager-exporter:23.6.1
    environment:
      AZURE_CLIENT_ID: ****
      AZURE_CLIENT_SECRET: ****
      AZURE_TENANT_ID: ****
      AZURE_SUBSCRIPTION_ID: ****
      AZURE_CLOUD_CONFIG_FILE: ****
      AZURE_ENVIRONMENT: AzurePrivate
      CONFIG: ****
... remaining config for volumes & port

My cloud-config file is in the format of #16 and is working as logging from "caller":"armclient/client.go:85" is reporting the custom endpoints for AzureAD and ResourceManager.

When authenticating using the node.js libraries I have to manually specify scopes when calling credential.getToken() where credential is a ClientSecretCredential.

This can be handled automatically in arm libraries by passing credentialScopes in the options when initializing a arm client.

Perhaps its the scopes that are causing the issue? Its the only thing different to my config that's working in node but the error returned stating "the authority doesn't support tenants" seems weird...