Author : HASSAN MD TAREQ | Updated : 2021/05/19


Initialize environment variables (PowerShell ISE will be used to execute commands)

$Env:AzUserName = xxx
$Env:AzPassword = yyy
$Env:ResourceGroup = "MyResourceGroup"
$Env:AksClusterName = "MyAksCluster"
$Env:AksTargetNamespace = "MyAksNamespace"
$Env:ManagedIdentityName = "MyManagedIdentity"

AKS cluster credential (to execute commands in a terminal)

# Login to Azure
az login -u $Env:AzUserName -p $Env:AzPassword

# Get AKS cluster credential
az aks get-credentials --resource-group $Env:ResourceGroup --name $Env:AksClusterName --overwrite-existing

Create User Managed Identity

Create managed identity in Azure portal

Create managed identity using Azure CLI

az identity create --name $Env:ManagedIdentityName --resource-group $Env:ResourceGroup

Get managed identity information (client id & resource id -> will be used to create pod-managed identity)

Save managed identity information in environment variables (will be used later)

# ClientID of MyManagedIdentity 
# Can be used to assign access permission for other azure resource i.e. KeyVault
$Env:ManagedIdentityClientId = $(az identity show --resource-group $Env:ResourceGroup --name $Env:ManagedIdentityName --query clientId -o tsv)

# ResourceId of MyManagedIdentity
# It is needed to create 'managed-pod identity' (MyPodIdentity)
$Env:ManagedIdentityResourceId = $(az identity show -g $Env:ResourceGroup -n $Env:ManagedIdentityName --query id -o tsv)

Managed-pod Identity Add-on

AKS preview features

# 'aks-preview' extension
az extension add --name aks-preview
az extension update --name aks-preview

Register EnablePodIdentityPreview feature

# EnablePodIdentityPreview feature registration
az feature register --name EnablePodIdentityPreview --namespace Microsoft.ContainerService

Enable Managed-pod identity

# Enable 'managed-pod identity' add-on
# az aks update -g $Env:ResourceGroup -n $Env:AksClusterName --enable-pod-identity
# az aks update -g $Env:ResourceGroup -n $Env:AksClusterName --enable-pod-identity --network-plugin azure

az aks update -g $Env:ResourceGroup -n $Env:AksClusterName --enable-pod-identity

Create managed-pod identity “MyPodIdentity” resource (K8s object) in the target namespace of AKS cluster

# Creating "MyPodIdentity" (managed-pod identity) K8s resource
# az aks pod-identity add --resource-group myResourceGroup 
# --cluster-name myAKSCluster --namespace ${POD_IDENTITY_NAMESPACE}  
# --name ${POD_IDENTITY_NAME} --identity-resource-id ${IDENTITY_RESOURCE_ID}
az aks pod-identity add `
--resource-group $Env:ResourceGroup `
--cluster-name $Env:AksClusterName `
--namespace $Env:AksTargetNamespace `
--name $Env:ManagedIdentityName `
--identity-resource-id $Env:ManagedIdentityResourceId

Check MyPodIdentity was created

kubectl get azureidentity -n test

Check corresponding AzureIdentity & AzureIdentityBinding

kubectl get AzureIdentity,AzureIdentityBinding -n test

Take note of selector of AzureIdentityBinding (will be used in pod manifest to assign pod managed identity)

kubectl describe """

In case you want to delete pod identity

az aks pod-identity delete `
--resource-group $Env:ResourceGroup `
--cluster-name $Env:AksClusterName `
--name $Env:PodIdentityName `
--namespace test   

AAD Pod Identity

Installing AAD Pod Identity (details:

kubectl apply `

Create User Assigned Managed Identity

Managed identity information (will be used later)

Name: xxx
Client ID: xxx
Resource ID: /subscriptions/xxx/resourceGroups/yyy/providers/Microsoft.ManagedIdentity/userAssignedIdentities/zzz

Allowing user managed identity to access target resource Azure portal (Allowing Managed Identity To Access Target Resource i.e. KeyVault)

Azure CLI command in PowerShell (Allowing Managed Identity To Access Target Resource i.e. KeyVault)

$mid = az identity show --resource-group $RESOURCE_GROUP --name $MANAGED_IDENTITY_NAME --query clientId -o tsv
az keyvault set-policy -n $KV_NAME --key-permissions get --spn $mid
az keyvault set-policy -n $KV_NAME --secret-permissions get --spn $mid
az keyvault set-policy -n $KV_NAME --certificate-permissions get --spn $mid

Create AzureIdentity:

apiVersion: ""
kind: AzureIdentity
  name: MyAzureIdentity
  type: 0
  resourceID: RESOURCE_ID
  clientID: CLIENT_ID

Create AzureIdentityBinding:

apiVersion: ""
kind: AzureIdentityBinding
  name: MyAzureIdentityBinding
  azureIdentity: "MyAzureIdentity"
  selector: "my-pod-identity"

selector: "my-pod-identity" is important, it will used in pod manifest to assign pod ‘managed identity’

Check AzureIdentity & AzureIdentityBinding

kubectl get AzureIdentity,AzureIdentityBinding -n test

Testing pod identity


apiVersion: v1
kind: Pod
  name: demo
    aadpodidbinding: MyPodIdentity
  - name: demo
      - --subscriptionid=SUBSCRIPTION_ID
      - --clientid=IDENTITY_CLIENT_ID
      - --resourcegroup=IDENTITY_RESOURCE_GROUP
      - name: MY_POD_NAME
      - name: MY_POD_NAMESPACE
            fieldPath: metadata.namespace
      - name: MY_POD_IP
            fieldPath: status.podIP
  nodeSelector: linux

Deploy: kubectl apply -f demo.yaml --namespace test

Check application is running successfully

kubectl logs demo --follow --namespace test

Verify the logs show the a token is successfully acquired and the GET operation is successful

... ... ...

successfully acquired a token using the MSI, msiEndpoint(
successfully acquired a token, userAssignedID MSI, msiEndpoint( clientID(xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
successfully made GET on instance metadata

... ... ...