Federating AKS workload identity step by step guide

This is a step by step guide to show how we can federate our workload identity in a kubernetes cluster.

First we enable OIDC on our cluster. Next, we create a managed identity in Azure. 

Then we will be creating a service account and the federating the managed identity.



# 1. Enable OIDC and Workload Identity on your cluster
az aks update -g myRG -n myCluster --enable-oidc-issuer --enable-workload-identity

# 2. Get the OIDC Issuer URL (needed for the trust)
AKS_OIDC_ISSUER=$(az aks show -n myCluster -g myRG --query
"oidcIssuerProfile.issuerUrl" -otsv)

# 3. Create the Managed Identity in Azure
az identity create --name "my-app-identity" --resource-group myRG

# 4. Create the Kubernetes Service Account (SA)
# Note: You MUST annotate it with the Client ID of the Managed Identity
CLIENT_ID=$(az identity show --name "my-app-identity"
--resource-group myRG --query clientId -o tsv)

kubectl create serviceaccount my-app-sa
kubectl annotate serviceaccount my-app-sa
azure.workload.identity/client-id=$CLIENT_ID

# 5. FEDERATE: Create the trust between the SA and the Managed Identity
az identity federated-credential create \
  --name "my-federated-id" \
  --identity-name "my-app-identity" \
  --resource-group myRG \
  --issuer "$AKS_OIDC_ISSUER" \
  --subject "system:serviceaccount:default:my-app-sa"


So what really going on behind the scheme here when we are trying to access an Azure resources.

The Pod Requests a Token: When your app starts, a "mutating webhook" in AKS has already injected a projected volume into your Pod. This volume contains a Kubernetes Service Account Token.

The Exchange: Your app (using the Azure Identity SDK) takes that K8s token and sends it to the Microsoft Entra ID (Azure AD) token endpoint.

The Validation: Entra ID sees the token. Because of the Federated Credential you created, Entra ID knows to go to your AKS Cluster's OIDC Endpoint to verify the signature of that token.

The Azure Token: Once Entra ID confirms the K8s token is valid and matches the "Subject" (Namespace + SA Name), it exchanges it for a real Azure Access Token.

Access Resource: Your app now uses that Azure Access Token to talk to Key Vault, Storage, or SQL.


Comments

Post a Comment

Popular posts from this blog

vllm : Failed to infer device type

Trying to run vllm without gpu will typicaly lands you into this issue. To resolve this issue: we can use set these both. Setting one does not work for me. So i had to configure both settings below:- 1.  environment variable CUDA_VISIBLE_DEVICES = "" 2. in the command line, change to use device cpu and remove  tensor-parallel-size. For example, python3 -m vllm.entrypoints.openai.api_server --port 8080 --model deepseek-ai/DeepSeek-R1 --device cpu --trust-remote-code --max-model-len 4096" References https://docs.vllm.ai/en/latest/getting_started/troubleshooting.html#failed-to-infer-device-type
Read more

NodeJS: Error: spawn EINVAL in window for node version 20.20 and 18.20

Encounter this issue when running autorest (that uses nodejs).  I am using node version:  v18.20.2 After i revert to use node v18.12.0, then i was able to get my app to run without this error. Since i am working with Azure devops yaml, i was able to use the following to resolve my issue.  - task : NodeTool@0   inputs :     versionSource : 'spec'     versionSpec : '18.18.0'
Read more

android studio kotlin source is null error

Image
This org.jetbrains.kotlin.util.FileAnalysisException with a java.lang.IllegalArgumentException: source must not be null is a known issue that can sometimes occur with the Kotlin compiler. It seems to be related to how the compiler analyzes certain source code structures. When this happens, you need to go clean your project and do another rebuild.  For my case, I was trying to test out the databinding = true feature. 
Read more