Merge pull request #249231 from scottaddie/scottaddie/workload-identity

Add code samples to Azure Identity SDK section

Author: v-regandowner

articles/aks/workload-identity-overview.md

@@ -1,9 +1,9 @@
 ---
-title: Use an Azure AD workload identities on Azure Kubernetes Service (AKS)
+title: Use an Azure AD workload identity on Azure Kubernetes Service (AKS)
 description: Learn about Azure Active Directory workload identity for Azure Kubernetes Service (AKS) and how to migrate your application to authenticate using this identity.  
 ms.topic: article
 ms.custom: build-2023
-ms.date: 08/18/2023
+ms.date: 08/24/2023
 ---
 
 # Use Azure AD workload identity with Azure Kubernetes Service (AKS)
@@ -29,36 +29,189 @@ In the Azure Identity client libraries, choose one of the following approaches:
 - Create a `ChainedTokenCredential` instance that includes `WorkloadIdentityCredential`.
 - Use `WorkloadIdentityCredential` directly.
 
-The following table provides the **minimum** package version required for each language's client library.
+The following table provides the **minimum** package version required for each language ecosystem's client library.
 
-| Language   | Library                                                                                                          | Minimum Version | Example                                                                                                                           |
-|------------|------------------------------------------------------------------------------------------------------------------|-----------------|-----------------------------------------------------------------------------------------------------------------------------------|
-| .NET       | [Azure.Identity](/dotnet/api/overview/azure/identity-readme)                                                     | 1.9.0           | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/azure-identity/dotnet)                                 |
-| C++        | [azure-identity-cpp](https://github.com/Azure/azure-sdk-for-cpp/blob/main/sdk/identity/azure-identity/README.md) | 1.6.0-beta.1    | [Link](https://github.com/Azure/azure-sdk-for-cpp/blob/main/sdk/identity/azure-identity/samples/workload_identity_credential.cpp) |
-| Go         | [azidentity](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity)                                | 1.3.0           | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/azure-identity/go)                                     |
-| Java       | [azure-identity](/java/api/overview/azure/identity-readme)                                                       | 1.9.0           | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/azure-identity/java)                                   |
-| JavaScript | [@azure/identity](/javascript/api/overview/azure/identity-readme)                                                | 3.2.0           | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/azure-identity/node)                                   |
-| Python     | [azure-identity](/python/api/overview/azure/identity-readme)                                                     | 1.13.0          | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/azure-identity/python)                                 |
+| Ecosystem | Library                                                                                                          | Minimum version |
+|-----------|------------------------------------------------------------------------------------------------------------------|-----------------|
+| .NET      | [Azure.Identity](/dotnet/api/overview/azure/identity-readme)                                                     | 1.9.0           |
+| C++       | [azure-identity-cpp](https://github.com/Azure/azure-sdk-for-cpp/blob/main/sdk/identity/azure-identity/README.md) | 1.6.0-beta.1    |
+| Go        | [azidentity](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity)                                | 1.3.0           |
+| Java      | [azure-identity](/java/api/overview/azure/identity-readme)                                                       | 1.9.0           |
+| Node.js   | [@azure/identity](/javascript/api/overview/azure/identity-readme)                                                | 3.2.0           |
+| Python    | [azure-identity](/python/api/overview/azure/identity-readme)                                                     | 1.13.0          |
 
 † In the C++ library, `WorkloadIdentityCredential` isn't part of the `DefaultAzureCredential` authentication flow.
 
+In the following code samples, the credential type will use the environment variables injected by the Azure Workload Identity mutating webhook to authenticate with Azure Key Vault.
+
+## [.NET](#tab/dotnet)
+
+```csharp
+using Azure.Identity;
+using Azure.Security.KeyVault.Secrets;
+
+string keyVaultUrl = Environment.GetEnvironmentVariable("KEYVAULT_URL");
+string secretName = Environment.GetEnvironmentVariable("SECRET_NAME");
+
+var client = new SecretClient(
+    new Uri(keyVaultUrl),
+    new DefaultAzureCredential());
+
+KeyVaultSecret secret = await client.GetSecretAsync(secretName);
+```
+
+## [C++](#tab/cpp)
+
+```cpp
+#include <cstdlib>
+#include <azure/identity.hpp>
+#include <azure/keyvault/secrets/secret_client.hpp>
+
+using namespace Azure::Identity;
+using namespace Azure::Security::KeyVault::Secrets;
+
+// * AZURE_TENANT_ID: Tenant ID for the Azure account.
+// * AZURE_CLIENT_ID: The client ID to authenticate the request.
+std::string GetTenantId() { return std::getenv("AZURE_TENANT_ID"); }
+std::string GetClientId() { return std::getenv("AZURE_CLIENT_ID"); }
+std::string GetTokenFilePath() { return std::getenv("AZURE_FEDERATED_TOKEN_FILE"); }
+
+int main()
+{
+  const char* keyVaultUrl = std::getenv("KEYVAULT_URL");
+  const char* secretName = std::getenv("SECRET_NAME");
+  auto credential = std::make_shared<WorkloadIdentityCredential>(
+    GetTenantId(), GetClientId(), GetTokenFilePath());
+
+  SecretClient client(keyVaultUrl, credential);
+  Secret secret = client.GetSecret(secretName).Value;
+
+  return 0;
+}
+```
+
+## [Go](#tab/go)
+
+```go
+package main
+
+import (
+	"context"
+	"os"
+
+	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
+	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets"
+    "k8s.io/klog/v2"
+)
+
+func main() {
+	keyVaultUrl := os.Getenv("KEYVAULT_URL")
+	secretName := os.Getenv("SECRET_NAME")
+
+	credential, err := azidentity.NewDefaultAzureCredential(nil)
+	if err != nil {
+		klog.Fatal(err)
+	}
+
+	client, err := azsecrets.NewClient(keyVaultUrl, credential, nil)
+	if err != nil {
+		klog.Fatal(err)
+	}
+
+	secret, err := client.GetSecret(context.Background(), secretName, "", nil)
+	if err != nil {
+		klog.ErrorS(err, "failed to get secret", "keyvault", keyVaultUrl, "secretName", secretName)
+		os.Exit(1)
+	}
+}
+```
+
+## [Java](#tab/java)
+
+```java
+import java.util.Map;
+
+import com.azure.security.keyvault.secrets.SecretClient;
+import com.azure.security.keyvault.secrets.SecretClientBuilder;
+import com.azure.security.keyvault.secrets.models.KeyVaultSecret;
+import com.azure.identity.DefaultAzureCredentialBuilder;
+import com.azure.identity.DefaultAzureCredential;
+
+public class App {
+    public static void main(String[] args) {
+        Map<String, String> env = System.getenv();
+        String keyVaultUrl = env.get("KEYVAULT_URL");
+        String secretName = env.get("SECRET_NAME");
+
+        SecretClient client = new SecretClientBuilder()
+                .vaultUrl(keyVaultUrl)
+                .credential(new DefaultAzureCredentialBuilder().build())
+                .buildClient();
+        KeyVaultSecret secret = client.getSecret(secretName);
+    }
+}
+```
+
+## [Node.js](#tab/javascript)
+
+```nodejs
+import { DefaultAzureCredential } from "@azure/identity";
+import { SecretClient } from "@azure/keyvault-secrets";
+
+const main = async () => {
+    const keyVaultUrl = process.env["KEYVAULT_URL"];
+    const secretName = process.env["SECRET_NAME"];
+
+    const credential = new DefaultAzureCredential();
+    const client = new SecretClient(keyVaultUrl, credential);
+
+    const secret = await client.getSecret(secretName);
+}
+
+main().catch((error) => {
+    console.error("An error occurred:", error);
+    process.exit(1);
+});
+```
+
+## [Python](#tab/python)
+
+```python
+import os
+
+from azure.keyvault.secrets import SecretClient
+from azure.identity import DefaultAzureCredential
+
+def main():
+    keyvault_url = os.getenv('KEYVAULT_URL', '')
+    secret_name = os.getenv('SECRET_NAME', '')
+
+    client = SecretClient(vault_url=keyvault_url, credential=DefaultAzureCredential())
+    secret = client.get_secret(secret_name)
+
+if __name__ == '__main__':
+    main()
+```
+
+---
+
 ## Microsoft Authentication Library (MSAL)
 
-The following client libraries are the **minimum** version required
+The following client libraries are the **minimum** version required.
 
-| Language | Library | Image | Example | Has Windows |
+| Ecosystem | Library | Image | Example | Has Windows |
 |-----------|-----------|----------|----------|----------|
-| .NET | [microsoft-authentication-library-for-dotnet](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) | ghcr.io/azure/azure-workload-identity/msal-net:latest | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-net/akvdotnet) | Yes |
-| Go | [microsoft-authentication-library-for-go](https://github.com/AzureAD/microsoft-authentication-library-for-go) | ghcr.io/azure/azure-workload-identity/msal-go:latest | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-go) | Yes |
-| Java | [microsoft-authentication-library-for-java](https://github.com/AzureAD/microsoft-authentication-library-for-java) | ghcr.io/azure/azure-workload-identity/msal-java:latest | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-java) | No |
-| JavaScript | [microsoft-authentication-library-for-js](https://github.com/AzureAD/microsoft-authentication-library-for-js) | ghcr.io/azure/azure-workload-identity/msal-node:latest | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-node) | No |
-| Python | [microsoft-authentication-library-for-python](https://github.com/AzureAD/microsoft-authentication-library-for-python) | ghcr.io/azure/azure-workload-identity/msal-python:latest | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-python) | No |
+| .NET | [microsoft-authentication-library-for-dotnet](https://github.com/AzureAD/microsoft-authentication-library-for-dotnet) | `ghcr.io/azure/azure-workload-identity/msal-net:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-net/akvdotnet) | Yes |
+| Go | [microsoft-authentication-library-for-go](https://github.com/AzureAD/microsoft-authentication-library-for-go) | `ghcr.io/azure/azure-workload-identity/msal-go:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-go) | Yes |
+| Java | [microsoft-authentication-library-for-java](https://github.com/AzureAD/microsoft-authentication-library-for-java) | `ghcr.io/azure/azure-workload-identity/msal-java:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-java) | No |
+| JavaScript | [microsoft-authentication-library-for-js](https://github.com/AzureAD/microsoft-authentication-library-for-js) | `ghcr.io/azure/azure-workload-identity/msal-node:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-node) | No |
+| Python | [microsoft-authentication-library-for-python](https://github.com/AzureAD/microsoft-authentication-library-for-python) | `ghcr.io/azure/azure-workload-identity/msal-python:latest` | [Link](https://github.com/Azure/azure-workload-identity/tree/main/examples/msal-python) | No |
 
 ## Limitations
 
 - You can only have 20 federated identity credentials per managed identity.
 - It takes a few seconds for the federated identity credential to be propagated after being initially added.
-- [Virtual nodes][aks-virtual-nodes] add on, based on the open source project [Virtual Kubelet][virtual-kubelet], is not supported.
+- [Virtual nodes][aks-virtual-nodes] add on, based on the open source project [Virtual Kubelet][virtual-kubelet], isn't supported.
 
 ## How it works
 
@@ -96,7 +249,7 @@ If you've used [Azure AD pod-managed identity][use-azure-ad-pod-identity], think
 
 ### Service account annotations
 
-All annotations are optional. If the annotation is not specified, the default value will be used.
+All annotations are optional. If the annotation isn't specified, the default value will be used.
 
 |Annotation |Description |Default |
 |-----------|------------|--------|
@@ -115,12 +268,12 @@ All annotations are optional. If the annotation is not specified, the default va
 
 ### Pod annotations
 
-All annotations are optional. If the annotation is not specified, the default value will be used.
+All annotations are optional. If the annotation isn't specified, the default value will be used.
 
 |Annotation |Description |Default |
 |-----------|------------|--------|
 |`azure.workload.identity/service-account-token-expiration` |Represents the `expirationSeconds` field for the projected service account token. It's an optional field that you configure to prevent any downtime caused by errors during service account token refresh. Kubernetes service account token expiry isn't correlated with Azure AD tokens. Azure AD tokens expire in 24 hours after they're issued. <sup>1</sup> |3600<br> Supported range is 3600-86400. |
-|`azure.workload.identity/skip-containers` |Represents a semi-colon-separated list of containers to skip adding projected service account token volume. For example `container1;container2`. |By default, the projected service account token volume is added to all containers if the service account is labeled with `azure.workload.identity/use: true`. |
+|`azure.workload.identity/skip-containers` |Represents a semi-colon-separated list of containers to skip adding projected service account token volume. For example, `container1;container2`. |By default, the projected service account token volume is added to all containers if the service account is labeled with `azure.workload.identity/use: true`. |
 |`azure.workload.identity/inject-proxy-sidecar` |Injects a proxy init container and proxy sidecar into the pod. The proxy sidecar is used to intercept token requests to IMDS and acquire an Azure AD token on behalf of the user with federated identity credential. |true |
 |`azure.workload.identity/proxy-sidecar-port` |Represents the port of the proxy sidecar. |8000 |