Reputation: 1239
Azure Kubernetes Service- Get kubeconfig for non-admin AD app identity
As per my understanding, Azure Kubernetes Service(AKS) allows getting credentials for admin and user identities. Can the user identity be an AD app or a managed identity?
I'm writing .Net code. Can you provide some sample where we can get the user credentials from AKS cluster by using AD app credentials, assuming I have already done AD integration with my AKS cluster and have already assigned the appropriate role binding for my AD app?
The security section here - https://learn.microsoft.com/en-us/rest/api/aks/managedclusters/getaccessprofile needs implicit flow. How does implicit flow work for AD app credentials?
Upvotes: 0
Views: 16003
Answers (1)
Reputation: 20067
You can use Implicit grant flow to get access token.
You'll need the Azure Kubernetes Service Cluster User built-in role to access an Azure AD enabled cluster.
Get the user credentials to access the cluster:
az aks get-credentials --resource-group myResourceGroup --name MyManagedCluster
Or use List Cluster User Credentials API.
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ContainerService/managedClusters/{resourceName}/listClusterUserCredential?api-version=2020-04-01
Because Get Access Profile API will be deprecated in the futhure.
Upvotes: 4
Related Questions
- Azure Kubernetes Error when running "az aks get-credentials" command
- kubectl with custom kubeconfig file for a serviceaccount gives unauthorized error
- How to create a kubectl config file for serviceaccount
- Kubernetes pod throwing CredentialUnavailableException: EnvironmentCredential authentication unavailable
- How to obtain Azure credentials using kubectl?
- Where to find Kubernetes API credentials with AKS?
- Kubernetes kubeconfig with service account token
- How can block azure aks get-credentials --admin and allow azure aks get-credentials only on azure?
- Get kubernetes credentials from Azure