in pkg/cmd/serviceaccount/phases/create/federatedidentitycredential.go [64:99]
func (p *federatedIdentityPhase) run(ctx context.Context, data workflow.RunData) error {
createData := data.(CreateData)
serviceAccountNamespace, serviceAccountName := createData.ServiceAccountNamespace(), createData.ServiceAccountName()
subject := util.GetFederatedCredentialSubject(serviceAccountNamespace, serviceAccountName)
name := util.GetFederatedCredentialName(serviceAccountNamespace, serviceAccountName, createData.ServiceAccountIssuerURL())
description := fmt.Sprintf("Federated Service Account for %s/%s", serviceAccountNamespace, serviceAccountName)
audiences := []string{webhook.DefaultAudience}
objectID := createData.AADApplicationObjectID()
fic := models.NewFederatedIdentityCredential()
fic.SetAudiences(audiences)
fic.SetDescription(to.Ptr(description))
fic.SetIssuer(to.Ptr(createData.ServiceAccountIssuerURL()))
fic.SetSubject(to.Ptr(subject))
fic.SetName(to.Ptr(name))
err := createData.AzureClient().AddFederatedCredential(ctx, objectID, fic)
if err != nil {
if cloud.IsFederatedCredentialAlreadyExists(err) {
mlog.WithValues(
"objectID", objectID,
"subject", subject,
).WithName(federatedIdentityPhaseName).Warning("federated credential has been previously created")
} else {
return errors.Wrap(err, "failed to add federated credential")
}
}
mlog.WithValues(
"objectID", objectID,
"subject", subject,
).WithName(federatedIdentityPhaseName).Info("added federated credential")
return nil
}