Azure AD workload identity with AKS

Managed Identities is a key concept in Microsoft Azure which makes it easy to manage access to various services in Azure without having to worry about rotating secrets. In this article we'll look at how we can use a specific managed identity connected to pods in Azure Kubernetes Services.

Before we start, I'll assume that you have a certain degree of knowledge about Azure and AKS. I will also assume that you have setup a Subscription, a Resource Group, a User Assigned Managed Identity and also the AKS Cluster we are deploy to. So, lets jump into it!

For many years pod-managed identity has been the way to connect a AKS Pod with a Managed Identity. This Open Source project has been replaced by Azure AD Workload Identity. Unfortunately there arent many good articles/blog posts/official documentation on how to setup and configure this is a good way. Hopefully this one will make you succeed.

First of all, lets create our serviceaccount.yml file

apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    azure.workload.identity/client-id: managed_identity_client_id
  labels:
    azure.workload.identity/use: "true"
  name: serviceaccount_name

Replace managed_identity_client_id with the clientId of your Managed Identity. This can be found in the portal, or by running the following CLI command

az identity show -n name-of-managed-identity \
-g name-of-resource-group \
-o tsv --query clientId

You also need to replace the name with something meaningful. We'll need this name later on when we'll change our deployment.yml and setting up federation for the Managed Identity

Next up you need to change you deployment.yml to include azure.workload.identity/use: "true" under template/metadata/labels and refering to the serviceaccount_name under template/spec/serviceAccountName. Your deployment.yml should look something like this:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: helloworld
  labels:
    app: helloworld
spec:
  replicas: 2
  selector:
    matchLabels:
      app: helloworld
  template:
    metadata:
      labels:
        app: helloworld
        azure.workload.identity/use: "true"
    spec:
      serviceAccountName: serviceaccount_name
      containers:
        - name: helloworld
          image: mcr.microsoft.com/dotnet/samples:aspnetapp
          ports:
          - containerPort: 80

Finally we'll need to run an az command to create federated credentials for the Managed Identity

issuerUrl="$(az aks show -g rg-name -n aks-clusterName --query oidcIssuerProfile.issuerUrl -o tsv)"
                   
az identity federated-credential create \ 
--name serviceaccount_name \ 
--identity-name mi_name \ 
--resource-group mi_rg \
--issuer $issuerUrl \
--subject system:serviceaccount:your-aks-namespace:serviceaccount_name

Navigating to the overview of your Managed Identity should show you a new element in the menu named 'Federated Credentials'.

You're now all set to apply changes to your AKS Cluster by running kubectl apply on your configuration files.

As a bonus; Please make sure that you have updated to at least version 1.9 of the Azure.Identity package if your application is a .NET app. This package includes WorkloadIdentityCredential when your application uses the DefaultAzureCredentials authentication flow.