Azure AD workload identity with AKS
Managed Identities is a key concept in Microsoft Azure which makes it easy to manage access to various services in Azure without having to worry about rotating secrets. In this article we'll look at how we can use a specific managed identity connected to pods in Azure Kubernetes Services.
Before we start, I'll assume that you have a certain degree of knowledge about Azure and AKS. I will also assume that you have setup a Subscription, a Resource Group, a User Assigned Managed Identity and also the AKS Cluster we are deploy to. So, lets jump into it!
For many years pod-managed identity has been the way to connect a AKS Pod with a Managed Identity. This Open Source project has been replaced by Azure AD Workload Identity. Unfortunately there arent many good articles/blog posts/official documentation on how to setup and configure this is a good way. Hopefully this one will make you succeed.
First of all, lets create our serviceaccount.yml
file
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
azure.workload.identity/client-id: managed_identity_client_id
labels:
azure.workload.identity/use: "true"
name: serviceaccount_name
Replace managed_identity_client_id
with the clientId of your Managed Identity. This can be found in the portal, or by running the following CLI command
az identity show -n name-of-managed-identity \
-g name-of-resource-group \
-o tsv --query clientId
You also need to replace the name with something meaningful. We'll need this name later on when we'll change our deployment.yml and setting up federation for the Managed Identity
Next up you need to change you deployment.yml
to include azure.workload.identity/use: "true"
under template/metadata/labels
and refering to the serviceaccount_name
under template/spec/serviceAccountName
. Your deployment.yml should look something like this:
apiVersion: apps/v1
kind: Deployment
metadata:
name: helloworld
labels:
app: helloworld
spec:
replicas: 2
selector:
matchLabels:
app: helloworld
template:
metadata:
labels:
app: helloworld
azure.workload.identity/use: "true"
spec:
serviceAccountName: serviceaccount_name
containers:
- name: helloworld
image: mcr.microsoft.com/dotnet/samples:aspnetapp
ports:
- containerPort: 80
Finally we'll need to run an az command
to create federated credentials for the Managed Identity
issuerUrl="$(az aks show -g rg-name -n aks-clusterName --query oidcIssuerProfile.issuerUrl -o tsv)"
az identity federated-credential create \
--name serviceaccount_name \
--identity-name mi_name \
--resource-group mi_rg \
--issuer $issuerUrl \
--subject system:serviceaccount:your-aks-namespace:serviceaccount_name
Navigating to the overview of your Managed Identity should show you a new element in the menu named 'Federated Credentials'.
You're now all set to apply changes to your AKS Cluster by running kubectl apply
on your configuration files.
As a bonus; Please make sure that you have updated to at least version 1.9 of the Azure.Identity
package if your application is a .NET app. This package includes WorkloadIdentityCredential
when your application uses the DefaultAzureCredentials
authentication flow.