Skip to content

Files

Latest commit

f797357 · Aug 1, 2024

History

History
59 lines (44 loc) · 1.7 KB

Workload-identity-config.md

File metadata and controls

59 lines (44 loc) · 1.7 KB

AKS Workload Identity setup

Enable Workload identity against existing AKS cluster

az aks update --resource-group "aks-devtest-rg" --name "anevjes-aks-dev" --enable-oidc-issuer --enable-workload-identity

MI creation

az account set --subscription "subscriptionID"
az identity create --name "ai-sentry-be-mi" --resource-group "ai-sentry" --location "australiaeast" --subscription "879bb272-07db-4784-816a-a9fac90f49ae"
export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "ai-sentry" --name "ai-sentry-be-mi" --query 'clientId' -otsv)"

Grant MI access to openAI resources

alt text

and assign your newly built managed identity to above role:

alt text

Env variables for service account in AKS

export SERVICE_ACCOUNT_NAME="default"
export SERVICE_ACCOUNT_NAMESPACE="ai-sentry"

OIDC Issuer url

export AKS_OIDC_ISSUER="$(az aks show --name anevjes-aks-dev --resource-group aks-devtest-rg --query "oidcIssuerProfile.issuerUrl" -o tsv)"

Create AKS Service Account

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ServiceAccount
metadata:
  annotations:
    azure.workload.identity/client-id: ${USER_ASSIGNED_CLIENT_ID}
  name: ${SERVICE_ACCOUNT_NAME}
  namespace: ${SERVICE_ACCOUNT_NAMESPACE}
EOF

Establish federated identity credential trust

az identity federated-credential create --name ai-sentry-be-fed --identity-name ai-sentry-be-mi --resource-group ai-sentry --issuer ${AKS_OIDC_ISSUER} --subject system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME} --audience api://AzureADTokenExchange