fix: resolve ARM token resource from AZURE_AUTHORITY_HOST for sovereign cloud ACR auth

Adir Atias · Adir Atias · commit aab6757ae7d8 · 2026-04-29T00:36:22.000+03:00
ArgoCD hardcodes the ARM token scope to the commercial endpoint (https://management.core.windows.net) when exchanging a Workload Identity access token for an ACR refresh token. On sovereign clouds, this causes 401 Unauthorized because the token audience does not match the cloud ARM resource. This change resolves the ARM token resource from AZURE_AUTHORITY_HOST, which is the only cloud-identifying env var injected by the AKS Workload Identity mutating webhook into workload pods. AZURE_ENVIRONMENT is NOT injected into pods (only into the webhook controller itself). Supported clouds: - Azure Public (login.microsoftonline.com) -> management.core.windows.net - Azure US Government (login.microsoftonline.us) -> management.core.usgovcloudapi.net - Azure China (login.partner.microsoftonline.cn) -> management.core.chinacloudapi.cn - Azure US Nat (login.microsoftonline.eaglex.ic.gov) -> management.core.eaglex.ic.gov - Azure US Sec (login.microsoftonline.microsoft.scloud) -> management.core.microsoft.scloud - Azure Bleu (login.sovcloud-identity.fr) -> management.sovcloud-api.fr - Azure Delos (login.sovcloud-identity.de) -> management.sovcloud-api.de AZURE_ARM_TOKEN_RESOURCE env var is preserved as an explicit override for backward compatibility and any unrecognized cloud environments. Signed-off-by: Adir Atias <adatias@microsoft.com>
diff --git a/util/helm/creds.go b/util/helm/creds.go
@@ -9,15 +9,16 @@ import (
 	"io"
 	"net/http"
 	"net/url"
+	"os"
 	"strings"
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
+
 	gocache "github.com/patrickmn/go-cache"
 	log "github.com/sirupsen/logrus"
 
 	argoutils "github.com/argoproj/argo-cd/v3/util"
-	"github.com/argoproj/argo-cd/v3/util/env"
 	"github.com/argoproj/argo-cd/v3/util/workloadidentity"
 )
 
@@ -181,7 +182,7 @@ func (creds AzureWorkloadIdentityCreds) getAccessTokenAfterChallenge(ctx context
 	realm := tokenParams["realm"]
 	service := tokenParams["service"]
 
-	armTokenScope := env.StringFromEnv("AZURE_ARM_TOKEN_RESOURCE", "https://management.core.windows.net")
+	armTokenScope := getARMTokenResource()
 	armAccessToken, err := creds.tokenProvider.GetToken(armTokenScope + "/.default")
 	if err != nil {
 		return "", fmt.Errorf("failed to get Azure access token: %w", err)
@@ -292,3 +293,51 @@ func (creds AzureWorkloadIdentityCreds) challengeAzureContainerRegistry(ctx cont
 
 	return tokenParams, nil
 }
+
+// getARMTokenResource returns the Azure Resource Manager token resource/audience
+// for the current cloud environment. This is needed for the ACR OAuth2 token
+// exchange (/oauth2/exchange) on sovereign clouds, where the ARM resource
+// differs from the commercial default.
+//
+// Resolution order:
+//  1. AZURE_ARM_TOKEN_RESOURCE env var (explicit override for any cloud)
+//  2. AZURE_AUTHORITY_HOST env var (injected by the AKS Workload Identity
+//     mutating webhook into every labeled pod)
+//  3. Default: commercial (https://management.core.windows.net)
+func getARMTokenResource() string {
+	// Allow explicit override for any cloud environment
+	if v := os.Getenv("AZURE_ARM_TOKEN_RESOURCE"); v != "" {
+		return v
+	}
+
+	// Resolve from AZURE_AUTHORITY_HOST, which is injected by the AKS Workload
+	// Identity webhook into pods labeled with azure.workload.identity/use: "true".
+	// Note: AZURE_ENVIRONMENT is NOT injected into workload pods by the webhook,
+	// only AZURE_AUTHORITY_HOST, AZURE_CLIENT_ID, AZURE_TENANT_ID, and
+	// AZURE_FEDERATED_TOKEN_FILE are injected.
+	// Ref: https://azure.github.io/azure-workload-identity/docs/installation/mutating-admission-webhook.html
+	authorityHost := strings.TrimRight(os.Getenv("AZURE_AUTHORITY_HOST"), "/")
+	switch authorityHost {
+	// Azure US Government (FairFax, GCC)
+	case "https://login.microsoftonline.us":
+		return "https://management.core.usgovcloudapi.net"
+	// Azure China (Mooncake)
+	case "https://login.partner.microsoftonline.cn":
+		return "https://management.core.chinacloudapi.cn"
+	// Azure US Nat (USNat / EagleX)
+	case "https://login.microsoftonline.eaglex.ic.gov":
+		return "https://management.core.eaglex.ic.gov"
+	// Azure US Sec (USSec)
+	case "https://login.microsoftonline.microsoft.scloud":
+		return "https://management.core.microsoft.scloud"
+	// Azure Bleu (France sovereign)
+	case "https://login.sovcloud-identity.fr":
+		return "https://management.sovcloud-api.fr"
+	// Azure Delos (Germany sovereign)
+	case "https://login.sovcloud-identity.de":
+		return "https://management.sovcloud-api.de"
+	// Azure Public (Commercial) or unrecognized
+	default:
+		return "https://management.core.windows.net"
+	}
+}
