lucassc/aks-workload-identity

Lucas Schwendler

Cloud Infrastructure Architect
Platform Engineer
DevOps Engineer
GitHub
Kubernetes
Terraform

This repository contains the code to deploy a Azure Kubernetes Service with all dependencies needed to use Azure AD Workload Identity

Requirements

Step 1 - Create AKS cluster

export KEY_VAULT_NAME=<your-key-vault-name> ## example: myvaultname export TF_VAR_key_vault_name=$KEY_VAULT_NAME terraform init terraform plan -var-file values.tfvars -out plan.bin terraform apply plan.bin

Step 2 - Create a secret

# get your objectid OBJECT_ID=$(az ad signed-in-user show --query id -o tsv) # Set permissions to your user az keyvault set-policy --name $KEY_VAULT_NAME --object-id $OBJECT_ID --secret-permissions all #create a secret az keyvault secret set --vault-name $KEY_VAULT_NAME --name "my-secret-name" --value "my-value"

Step 3 - Connect to cluster

az account set --subscription <your-subscription-id> az aks get-credentials --resource-group k8s-rg --name aks-cluster

Step 4 - Create deployment and service

WORKLOADS=$(cat ./workloads.yaml) && \ echo "${WORKLOADS/VAULT_NAME_TO_REPLACE/$KEY_VAULT_NAME}" | kubectl create -f -

The source code for these application is inside the repository, go to

vault.reader

Step 5 - Test

! Important ! Vault-reader load the secrets when the pod starts. When a change in the vault secret happens, you will need to restart the pod.

kubectl port-forward deployment/vault-reader 8888:8888

Now you need to open another terminal to get the secret value

curl --location --request GET 'http://127.0.0.1:8888/get-secret/my-secret-name'

This curl command will return a json object with the key and the secret value created on step 2

Example:

{ "key": "my-secret-name", "value": "my-value" }

You also can request the secret value using the application Swagger page:

http://127.0.0.1:8888/swagger/index.html

Step 6 - Check the pod envs

In this step is possible to see the environment variables injected in the POD

kubectl exec deployment/vault-reader -- printenv | grep AZURE_

The response will be like:

AZURE_CLIENT_ID=<service-principal-id> AZURE_TENANT_ID=<your-tenant-id> AZURE_FEDERATED_TOKEN_FILE=/var/run/secrets/azure/tokens/azure-identity-token AZURE_AUTHORITY_HOST=https://login.microsoftonline.com/

After all: DESTROY!!!

To avoid surprises, don't forget to delete the resources.

terraform destroy -auto-approve -var-file values.tfvars

Blog

This repository is an example for this blog post:

Authenticating Kubernetes Workloads with Azure AD workload identity

Partner With Lucas
View Services

More Projects by Lucas