Reputation: 1239
Azure Kubernetes managed identity vs AAD pod identities
Azure Kubernetes now seems to offer two ways to access other Azure resources. 1. AKS managed identity - https://learn.microsoft.com/en-us/azure/aks/use-managed-identity 2. AAD pod identity - https://github.com/Azure/aad-pod-identity
As an application running within the AKS, how can I request token for AKS cluster managed identity or AAD pod identity? When I call the IMDS endpoint for token, how will it know for which identity to generate token?
Upvotes: 2
Views: 3817
Answers (3)
Reputation: 11
All the above answers are pointing towards using the AAD Pod Identity but we can use Aks Managed identity as well.
Just give rights/access/roles to AKS managed identity over azure resources and then we can use it to access Azure resources without the AAD pod identity.
builder.Configuration.AddAzureKeyVault(new Uri("https://<your_vault>.vault.azure.net/"), new DefaultAzureCredential());
As mentioned, I simply allowed AKS managed identity to read secrets from AzureKeyVault in portal. And registering the AzureVaultConfig provider in code was enough for me.
As you can see below AcrPull role to the ACR was already assigned to the AKS managed identity so there was no need to create image pull secrets to pull the images from private registry. Same thing i tried with AzureVault and i guess should work with other azure resources as well.
In particular i used aks agent-pool managedidentity to access KeyVault.
Upvotes: 0
Reputation: 381
The AKS managed identity you mention in option 1 (https://learn.microsoft.com/en-us/azure/aks/use-managed-identity) is meant for the cluster internal use only. You cannot use that identity to access azure resources from your pods.
You can use Pod identity to achieve your needs. You need to create an Identity Binding (https://github.com/Azure/aad-pod-identity#5-deploy-azureidentitybinding) for the managed identity you want to use, and specify that identity binding in your pod spec (https://github.com/Azure/aad-pod-identity#6-deployment-and-validation).
When the pod requests a token from the IMDS endpoint, it does not need to specify the identity: that is figured out automatically by the NMI based on the identity binding in the pod spec for the pod making the request.
Upvotes: 4
Reputation: 1618
Similarly, a host can make an authorization request to fetch Service Principal Token for a resource directly from the NMI host endpoint (http://127.0.0.1:2579/host/token/). The request must include the pod namespace podns and the pod name podname in the request header and the resource endpoint of the resource requesting the token. The NMI server identifies the pod based on the podns and podname in the request header and then queries k8s (through MIC) for a matching azure identity. Then NMI makes an ADAL request to get a token for the resource in the request, returning the token and the clientid as a response.
https://github.com/Azure/aad-pod-identity#node-managed-identity
Upvotes: 1
Related Questions
- How to access Azure Key Vault (AKV) from Azure Kubernetes Service (AKS) using Managed Identities
- Azure - Using a Managed Identity to authenticate AKS to KeyVault and other resources
- Azure AD pod-managed identities vs Azure AD workload identity managed
- What happens to Azure AD Pod identity once the pod dies
- Integrate Azure Key Vault With Azure Kubernetes Service using Managed Identity
- Security concerns of using managed identity using AAD Pod Identities
- Azure kubernetes - multiple managed identity?
- what is the best way to use managed identities feature for AKS cluster?
- Kubernetes and AAD authentication
- Security in Azure Managed Kubernetes Service (AKS)