You're viewing documentation for a version of this software that is in development. Switch to the latest stable version
/

Installing with Azure AD Workload Identity

Learn what needs to be done to run successfully with azure ad workload identity

Requirements

Additional to the default requirements using Workload Identity with akv2k8s requires:

Installation

Create a managed identity

export RG_NAME="<resource-group>"
export USER_ASSIGNED_IDENTITY_NAME="<identity-name>"
az identity create --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RG_NAME}"

Grant permissions to access Azure Key Vault

export KEYVAULT_NAME="<keyvault-name>"
export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group ${RG_NAME} --name ${USER_ASSIGNED_IDENTITY_NAME} --query 'clientId' -otsv)"
az keyvault set-policy \
        --name "${KEYVAULT_NAME}" \
        --secret-permissions get \
        --certificate-permissions get \
        --key-permissions get \
        --spn "${USER_ASSIGNED_CLIENT_ID}"

Get the OIDC issuer url. If running on AKS the following command can be used

export AKS_NAME="<aks-name>"
export RG_NAME="<aks-resource-group>"
export OIDC_ISSUER_URL="$(az aks show -n ${AKS_NAME} -g ${RG_NAME} --query "oidcIssuerProfile.issuerUrl" -otsv)"

Establish federated identity credential for akv2k8s-controller service account

export SERVICE_ACCOUNT_NAMESPACE="akv2k8s"
export SERVICE_ACCOUNT_NAME="akv2k8s-controller"
az identity federated-credential create \
        --name akv2k8s-controller-fed-identity \
        --identity-name "${USER_ASSIGNED_IDENTITY_NAME}" \
        --resource-group "${RG_NAME}" \
        --issuer "${AKS_OIDC_ISSUER}" \
        --subject system:serviceaccount:"${SERVICE_ACCOUNT_NAMESPACE}":"${SERVICE_ACCOUNT_NAME}"

Establish federated identity credential for akv2k8s-envinjector service account

export SERVICE_ACCOUNT_NAMESPACE="akv2k8s"
export SERVICE_ACCOUNT_NAME="akv2k8s-envinjector"
az identity federated-credential create \
        --name akv2k8s-envinjector-fed-identity \
        --identity-name "${USER_ASSIGNED_IDENTITY_NAME}" \
        --resource-group "${RG_NAME}" \
        --issuer "${AKS_OIDC_ISSUER}" \
        --subject system:serviceaccount:"${SERVICE_ACCOUNT_NAMESPACE}":"${SERVICE_ACCOUNT_NAME}"

Enable keyvault auth environment-azidentity and add the azure.workload.identity/use: "true" label on the service account and pod for controller and envinjector.

Client ID for managed identity must either be set as environment variable AZURE_CLIENT_ID or added with azure.workload.identity/client-id annotation on each service account for controller and envinjector

global:
  keyVaultAuth: environment-azidentity
controller:
  podLabels:
    azure.workload.identity/use: "true"
  serviceAccount:
    annotations:
      azure.workload.identity/client-id: <optional-managed-identity-client-id>
    labels:
      azure.workload.identity/use: "true"
env_injector:
  podLabels:
    azure.workload.identity/use: "true"
  serviceAccount:
    annotations:
      azure.workload.identity/client-id: <optional-managed-identity-client-id>
    labels:
      azure.workload.identity/use: "true"
Edit on GitHub