Support Azure CLI Access on AKS with workload identity#40142
Merged
Support Azure CLI Access on AKS with workload identity#40142
Conversation
Cr0n1c
approved these changes
Apr 9, 2024
Tener
approved these changes
Apr 15, 2024
smallinsky
approved these changes
Apr 15, 2024
public-teleport-github-review-bot
Bot
removed request for
GavinFrazar and
ryanclark
greedy52
force-pushed
the
STeve/39532/aks_workload_id
branch
from
016bac9 to
f2b5dc2
Compare
github-merge-queue
Bot
removed this pull request from the merge queue due to failed status checks
greedy52
added a commit
that referenced
this pull request
Apr 18, 2024
* Support Azure CLI Access on AKS with workload identity * fix lint and properly pass along a logger * fix typos * reverse error check and fix typo * fix terraform go.mod * fix event handler go.mod
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Implements #39532:
changelog: added Azure CLI access support on AKS with Entra Workload ID
Why:
Azure CLI app access is implemented with
azidentity.NewManagedIdentityCredential. This works fine for regular VMs, and Azure AKS with Entra pod identity. However, the Entra pod identity is a Preview feature that will be deprecated soon. The Official way to do pod-level identity on AKS is Azure Workload Identity. We also advertise Azure Workload Identity in our own Azure AKS guide.How it works:
azidentity.NewWorkloadIdentityCredential, plus the client ID of the Azure user-assigned identity in order to be assumed. Multiple workload identities can be assigned to the single service account assigned to the AKS pod.Microsoft.ManagedIdentity/userAssignedIdentities/readpermission.tsh, the app agent makes API calls to fetch client IDs for the user-requested identities, then use the fetched client ID forazidentity.NewWorkloadIdentityCredential.Setup:
(TODO make a proper doc change)
teleport-azure-app-aks-agentfor "USER_ASSIGNED_IDENTITY_NAME". Create a role for this identity withMicrosoft.ManagedIdentity/userAssignedIdentities/readaction permission, and assign it to the role. Note that the client ID for this app-agent will be used for service account'sazure.workload.identity/client-idcloud: "Azure") and use the service account created in the previous step for this pod in this AKS cluster.teleport-user-reader, and grant it relevant permissions.az identity federated-credential create --name federated-teleport-user-reader --identity-name teleport-user-reader --resource-group "${RESOURCE_GROUP}" --issuer "${AKS_OIDC_ISSUER}" --subject system:serviceaccount:"${SERVICE_ACCOUNT_NAMESPACE}":"${SERVICE_ACCOUNT_NAME}" --audience api://AzureADTokenExchange)tsh apps login <azure-on-aks>andtsh azas usualTesting