Use a workload identity with an application on Azure Kubernetes Service (AKS)
- In this article
- Create a resource group
- Install the aks-preview Azure CLI extension
- Register the ‘EnableWorkloadIdentityPreview’ feature flag
- Create AKS cluster
- Export environmental variables
- Create an Azure Key Vault and secret
- Create a managed identity and grant permissions to access the secret
- Establish federated identity credential
- Deploy the workload
Azure Kubernetes Service (AKS) is a managed Kubernetes service that lets you quickly deploy and manage Kubernetes clusters. In this tutorial, you will:
- Deploy an AKS cluster using the Azure CLI with OpenID Connect Issuer and managed identity.
- Create an Azure Key Vault and secret.
- Create an Azure Active Directory workload identity and Kubernetes service account
- Configure the managed identity for token federation
- Deploy the workload and verify authentication with the workload identity.
This tutorial assumes a basic understanding of Kubernetes concepts. For more information, see Kubernetes core concepts for Azure Kubernetes Service (AKS).
AKS preview features are available on a self-service, opt-in basis. Previews are provided “as is” and “as available,” and they’re excluded from the service-level agreements and limited warranty. AKS previews are partially covered by customer support on a best-effort basis. As such, these features aren’t meant for production use. For more information, see the following support articles:
- AKS support policies
- Azure support FAQ
- This article requires version 2.40.0 or later of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
- You have installed the latest version of the
aks-previewextension, version 0.5.102 or later.
- The identity you are using to create your cluster has the appropriate minimum permissions. For more information on access and identity for AKS, see Access and…