How to auth with UAMI + FIC in application level for a service deployed in AKS?

Question

UAMI: User-assigned Managed Identity FIC: Federated Identity Credentials

Generally, to use UAMI + FIC: Create a managed identity -> Create a FIC (Customer Managed Key) -> Specify the identity we use in the target Azure resources -> call the token provider in the code

Initially, in the code, we used client secret to request token from the Entra App, now we were changing to use USMI + FIC to request token.

If the service is deployed as a Function App, it is really simple to specify the managed identity we use in the portal.

enter image description here However, in Kubernetes, there is no such an option. How can we help AKS understand which managed identity we are going to use to request the token from Entra App for calling other endpoints?

I learnt that in AKS there is pod/workload identity, but that's more on infra level. What I am looking for the solution is, to enable it in app level just as the same way, as function app. Meaning, if we deployed the same code to other infra, we are still able to use the same USMI + FIC. Please let me know if this is possible for services deployed to AKS.

Answer 1

To use User-assigned Managed Identity (UAMI) and Federated Identity Credentials (FIC) for services deployed on Azure Kubernetes Service (AKS), you can leverage the integration of Azure AD Pod Identity, which enables AKS applications to securely access cloud resources by assigning managed identities to pods.

First, create a UAMI in Azure, which your AKS applications will use to authenticate to other Azure services

az identity create --resource-group <ResourceGroupName> --name <IdentityName>

Install Azure AD Pod Identity in Your AKS Cluster.

Why?

Azure AD Pod Identity allows you to bind Azure Managed Identities to specific pods, enabling seamless authentication to Azure services using Azure AD.

Add and install the Azure AD Pod Identity Helm repo

helm repo add aad-pod-identity https://raw.githubusercontent.com/Azure/aad-pod-identity/master/charts
helm install aad-pod-identity aad-pod-identity/aad-pod-identity

create an AzureIdentity resource that references the UAMI, and an AzureIdentityBinding that links this identity to specific pods.

Azure Identity example

apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentity
metadata:
  name: myappidentity
spec:
  type: 0  # User-assigned MSI
  resourceID: "/subscriptions/yourid/resourcegroups/yourRG/providers/Microsoft.ManagedIdentity/userAssignedIdentities/myappidentity"
  clientID: "yourclientid"

AzureIdentityBinding example

apiVersion: "aadpodidentity.k8s.io/v1"
kind: AzureIdentityBinding
metadata:
  name: myappidentity-binding
spec:
  azureIdentity: myappidentity
  selector: myapp

Verify the same using

kubectl get azureidentity
kubectl get azureidentitybinding

Use the Selector to match labels that you will add to your application's deployment that should use this identity.

Modify your application's deployment manifest to include the label specified in the Selector of the AzureIdentityBinding.

Example deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-deployment
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
  template:
    metadata:
      labels:
        app: nginx
        aadpodidbinding: myapp  # Ensure this matches the Selector in AzureIdentityBinding
    spec:
      containers:
      - name: nginx
        image: nginx:latest
        ports:
        - containerPort: 80

Modify the Application to Use the Token

For a real-world scenario, you would modify your application to use SDKs from Azure to interact with services like Azure Blob Storage, Azure SQL Database, etc., leveraging the managed identity for authentication.

Why?

Instead of using a client secret, your application should now use the DefaultAzureCredential from the Azure SDK, which automatically uses the managed identity assigned to the pod.

example snippet of how you might use the managed identity within your application to access Azure Blob Storage using Python:

from azure.storage.blob import BlobServiceClient
from azure.identity import DefaultAzureCredential

# Use DefaultAzureCredential which will internally handle authentication using the managed identity
credential = DefaultAzureCredential()

# Create a BlobServiceClient object which will be used to create a container client
storage_account_url = "https://<your-storage-account-name>.blob.core.windows.net/"
client = BlobServiceClient(account_url=storage_account_url, credential=credential)

# Now you can use client to interact with Blob storage
container_client = client.get_container_client("<your-container-name>")
blobs_list = container_client.list_blobs()
for blob in blobs_list:
    print(blob.name)

Done. You can verify your pods

kubectl get pods -n default

or the NMI and MIC logs

kubectl logs -n default -l app.kubernetes.io/component=mic
kubectl logs -n default -l app.kubernetes.io/component=nmi

References:

• Best practices for authentication and authorization in Azure Kubernetes Service (AKS)
• Use Microsoft Entra pod-managed identities in Azure Kubernetes Service (Preview)