Open in app

Sign in

Write

Sign in

Azure WorkLoad Identity

Vishnu Vardhana Reddy
4 min readNov 28, 2023

--

Workloads deployed in Kubernetes clusters require Azure AD application credentials or managed identities to access Azure AD protected resources

How it works

In this model, the Kubernetes cluster becomes a token issuer, issuing tokens to Kubernetes Service Accounts. These service account tokens can be configured to be trusted on Azure AD applications or user-assigned managed identities. Workload can exchange a service account token projected to its volume for an Azure AD access token using the Azure Identity SDKs or the Microsoft Authentication Library (MSAL).

Managed Clusters

For managed clusters, the service account signing keys will be set up and managed by the cloud provider.

Enable OIDC issuer

Before deploying Azure AD Workload Identity, you will need to enable any OIDC-specific feature flags and obtain the OIDC issuer URL when setting up the federated identity credentials.

For managed clusters, the service account signing keys will be set up and managed by the cloud provider.

Before deploying Azure AD Workload Identity, you will need to enable any OIDC-specific feature flags and obtain the OIDC issuer URL when setting up the federated identity credentials.

OIDC enables single sign-on (SSO) between your OAuth-enabled applications, on Azure Kubernetes Service (AKS) cluster, by using a security token called an ID token. AKS rotates the key automatically and periodically.

az aks update -g myResourceGroup -n myAKSCluster --enable-oidc-issuer

Enable workload identity

This feature is in public preview, with expectations that GA is soon,

az feature register --namespace "Microsoft.ContainerService" --name "EnableWorkloadIdentityPreview"

User-assigned managed identity and grant permissions to access the Azure Resoruce

  1. Create managed identity
  2. Assign required policies to access the particular Azure resource

Create a Kubernetes service account

Service Account: It is used to authenticate machine-level processes to get access to our Kubernetes cluster. The API server is responsible for such authentication to the processes running in the pod

Create a Kubernetes service account and annotate it with the client ID of the managed identity created above.

kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    azure.workload.identity/client-id: ${APPLICATION_CLIENT_ID:-$USER_ASSIGNED_IDENTITY_CLIENT_ID}
  name: ${SERVICE_ACCOUNT_NAME}
  namespace: ${SERVICE_ACCOUNT_NAMESPACE}

Establish federated identity credentials between the identity and the service account issuer & subject

Federated identity credentials are a new type of credential that enables workload identity federation for software workloads. Workload identity federation allows you to access Microsoft Entra-protected resources without needing to manage secrets (for supported scenarios).

This step establishes a trust relationship between your user-assigned managed identity in Azure AD and a Kubernetes workload

cat <<EOF > params.json
{
  "name": "kubernetes-federated-credential",
  "issuer": "${SERVICE_ACCOUNT_ISSUER}",
  "subject": "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}",
  "description": "Kubernetes service account federated credential",
  "audiences": [
    "api://AzureADTokenExchange"
  ]
}
EOF

az ad app federated-credential create --id ${APPLICATION_OBJECT_ID} --parameters @params.json

Mutating Admission Webhook

Azure AD Workload Identity uses a mutating admission webhook to project a signed service account token to your workload’s volume and inject the following properties to pods with a service account that is configured to use the webhook:

Azure AD Workload Identity

Azure AD Workload Identity uses a mutating admission webhook to project a signed service account token to your…

azure.github.io

The webhook allows pods to use a service account token projected to a well-known volume path to exchange for an Azure AD access token by leveraging the above properties with the Azure Identity SDKs or the Microsoft Authentication Library (MSAL).

Deploy workload

kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: quick-start
  namespace: ${SERVICE_ACCOUNT_NAMESPACE}
  labels:
    azure.workload.identity/use: "true"
spec:
  serviceAccountName: ${SERVICE_ACCOUNT_NAME}
  containers:
    - image: ghcr.io/azure/azure-workload-identity/msal-go
      name: oidc
      env:
      - name: KEYVAULT_URL
        value: ${KEYVAULT_URL}
      - name: SECRET_NAME
        value: ${KEYVAULT_SECRET_NAME}
  nodeSelector:
    kubernetes.io/os: linux
  1. Workload identity web hook inject properties in pod on start-up
  2. Pod uses AZURE_FEDERATED_TOKEN_FILE to authenticate with Azure AD and get access token.
  3. Share access token with Azure resource and access the resource

Reference

Deploy and configure an Azure Kubernetes Service (AKS) cluster with workload identity - Azure…

In this Azure Kubernetes Service (AKS) article, you deploy an Azure Kubernetes Service cluster and configure it with a…

learn.microsoft.com

Implement Azure AD Workload Identity with Azure Kubernetes Service to access Azure KeyVault

This articles focuses on the integration of Kubernetes native workloads to interact and access with Azure protected…

awstip.com

https://alexisplantin.fr/workload-identity-federation/

Workload Identity
Azure Kubernetes Service

--

--

Vishnu Vardhana Reddy
Vishnu Vardhana Reddy

Written by Vishnu Vardhana Reddy

112 Followers
81 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams