Azure Managed Identity Resource for AKS

Question

I'm trying to follow the guide outlined at this link to generate an access token for AKS for the system assigned managed identity.

The code snippet at the link is doing the following from an app service kudu console:

$resource = "https://graph.microsoft.com"

$endpoint = $env:IDENTITY_ENDPOINT
$header = $env:IDENTITY_HEADER
$apiVersion = "2019-08-01"

$headers = @{ 'X-Identity-Header' = $header }

$url = "$($endpoint)?api-version=$apiVersion&resource=$resource"

$response = Invoke-RestMethod -Method Get -Uri $url -Headers $headers
$response.access_token

Although this snippet works, the resource identifier varies depending on the resource for which you're requesting the access token. I'm not sure what resource value must be specified to get this for AKS. I have found it for the following, but not for AKS:

https://servicebus.azure.net
https://graph.microsoft.com
https://management.azure.com
https://database.windows.net
https://relay.azure.net
https://eventhubs.azure.net

Does anyone know what this ought to be for AKS?

Answer 1

Figured it out. Apparently after deploying AKS a new Microsoft generated enterprise application is created under your tenant called "Azure Kubernetes Service AAD Server" and has a universal GUID:

6dae42f8-4368-4678-94ff-3960e28e3630.

This should be used as the resource.

Surprisingly there's no mention on any Microsoft authored documentation regarding this. Stumbled across this on other sites.

Hope this helps someone else.

Some references:

• Reference to this on github
• Reference to this on related SO post