Managed Identities is a key concept in Microsoft Azure which makes it easy to manage access to various services in Azure without having to worry about rotating secrets. In this article we'll look at how we can use a specific managed identity connected to pods in Azure Kubernetes Services.
Before we start, I'll assume that you have a certain degree of knowledge about Azure and AKS. I will also assume that you have setup a Subscription, a Resource Group, a User Assigned Managed Identity and also the AKS Cluster we are deploy to. So, lets jump into it!
For many years pod-managed identity has been the way to connect a AKS Pod with a Managed Identity. This Open Source project has been replaced by Azure AD Workload Identity. Unfortunately there arent many good articles/blog posts/official documentation on how to setup and configure this is a good way. Hopefully this one will make you succeed.
First of all, lets create our
apiVersion: v1 kind: ServiceAccount metadata: annotations: azure.workload.identity/client-id: managed_identity_client_id labels: azure.workload.identity/use: "true" name: serviceaccount_name
managed_identity_client_id with the clientId of your Managed Identity. This can be found in the portal, or by running the following CLI command
az identity show -n name-of-managed-identity \ -g name-of-resource-group \ -o tsv --query clientId
You also need to replace the name with something meaningful. We'll need this name later on when we'll change our deployment.yml and setting up federation for the Managed Identity
Next up you need to change you
deployment.yml to include
azure.workload.identity/use: "true" under
template/metadata/labels and refering to the
template/spec/serviceAccountName. Your deployment.yml should look something like this:
apiVersion: apps/v1 kind: Deployment metadata: name: helloworld labels: app: helloworld spec: replicas: 2 selector: matchLabels: app: helloworld template: metadata: labels: app: helloworld azure.workload.identity/use: "true" spec: serviceAccountName: serviceaccount_name containers: - name: helloworld image: mcr.microsoft.com/dotnet/samples:aspnetapp ports: - containerPort: 80
Finally we'll need to run an
az command to create federated credentials for the Managed Identity
issuerUrl="$(az aks show -g rg-name -n aks-clusterName --query oidcIssuerProfile.issuerUrl -o tsv)" az identity federated-credential create \ --name serviceaccount_name \ --identity-name mi_name \ --resource-group mi_rg \ --issuer $issuerUrl \ --subject system:serviceaccount:your-aks-namespace:serviceaccount_name
Navigating to the overview of your Managed Identity should show you a new element in the menu named 'Federated Credentials'.
You're now all set to apply changes to your AKS Cluster by running
kubectl apply on your configuration files.
As a bonus; Please make sure that you have updated to at least version 1.9 of the
Azure.Identity package if your application is a .NET app. This package includes
WorkloadIdentityCredential when your application uses the
DefaultAzureCredentials authentication flow.