Remove SubscriptionID from ProviderConfig

[james-nofrixion]

What problem are you facing?

I have to create multiple ProviderConfigs to managed resources in multiple Azure subscriptions.

I have created a workload identity for the crossplane Azure providers. In testing my ProviderConfig was restricted to the Subscription that the managed identity was created in (as documented, this was picked up from the credentials even if removed).

Azure subscriptions are a 'logical' organisation of resources, not a security boundary.

It would be ideal if instead of creating the DeploymentRuntimeConfig (see detail below) and referencing it in ALL of the family of 'sub-providers' we could create a providerConfig something like the following and it would work for all of the provider family:

apiVersion: azure.upbound.io/v1beta1
kind: ProviderConfig
metadata:
  name: default
spec:
  credentials:
    source: WorkloadIdentity
  clientID: <client ID> # client ID of the corresponding Azure User Managed Identity being used by the crossplane provider service accounts.
  tenantID: <tenant ID>

What could help solve your problem?

Either:

1. Remove the SubscriptionID from the ProviderConfig
2. Allow an array of subscriptions

Some detail:

My azure providers are mapped to a service account that has a federated credential with the crossplane-iac-service user managed identity in Azure via a DeploymentRuntimeConfig (which also gets the provider pods to use workload identities):

          apiVersion: pkg.crossplane.io/v1beta1
          kind: DeploymentRuntimeConfig
          metadata:
            name: provider-family-azure-config
          spec:
            deploymentTemplate:
              spec:
                selector: {}
                template:
                  metadata:
                    labels:
                      azure.workload.identity/use: "true"
            serviceAccountTemplate:
              metadata:
                name: provider-family-azure-service-account
                annotations:
                  azure.workload.identity/client-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
                  azure.workload.identity/tenant-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

          apiVersion: pkg.crossplane.io/v1
          kind: Provider
          metadata:
            name: upbound-provider-azure-managedidentity
          spec:
            package: xpkg.upbound.io/upbound/provider-azure-managedidentity:v1.5.0
            packagePullPolicy: Always
            runtimeConfigRef:
              name: provider-family-azure-config

The providerConfig uses the token from the pods as the credential:

          apiVersion: azure.upbound.io/v1beta1
          kind: ProviderConfig
          metadata:
            name: default-azure
          spec:
            credentials:
              source: OIDCTokenFile
            oidcTokenFilePath: /var/run/secrets/azure/tokens/azure-identity-token
            clientID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
            #subscriptionID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
            tenantID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

I have configure access for this identity in RBAC, it would be nice if crossplane left it to Azure to manage permissions. Instead I need to create ProviderConfig for each subscription.