Skip to content

Commit 1007e07

Browse files
committed
updated with clientId retrieval
1 parent da902d6 commit 1007e07

File tree

1 file changed

+11
-2
lines changed

1 file changed

+11
-2
lines changed

articles/aks/csi-secrets-store-identity-access.md

Lines changed: 11 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -133,6 +133,9 @@ In this security model, the AKS cluster acts as token issuer. Microsoft Entra ID
133133
> [!NOTE]
134134
> If you use `objectAlias` instead of `objectName`, update the YAML script to account for it.
135135
136+
> [!NOTE]
137+
> In order for the `SecretProviderClass` to function properly, make sure to populate your Azure Key Vault with secrets, keys, or certificates before referencing them in the `objects` section.
138+
136139
8. Deploy a sample pod using the `kubectl apply` command and the following YAML script.
137140
138141
```bash
@@ -176,10 +179,11 @@ In this security model, you can grant access to your cluster's resources to team
176179
177180
### Configure managed identity
178181
179-
1. Access your key vault using the [`az aks show`][az-aks-show] command and the user-assigned managed identity created by the add-on.
182+
1. Access your key vault using the [`az aks show`][az-aks-show] command and the user-assigned managed identity created by the add-on. You should also retrieve the identity's `clientId`, which you'll use in later steps when creating a `SecretProviderClass`.
180183
181184
```azurecli-interactive
182185
az aks show -g <resource-group> -n <cluster-name> --query addonProfiles.azureKeyvaultSecretsProvider.identity.objectId -o tsv
186+
az aks show -g <resource-group> -n <cluster-name> --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv
183187
```
184188
185189
Alternatively, you can create a new managed identity and assign it to your virtual machine (VM) scale set or to each VM instance in your availability set using the following commands.
@@ -188,9 +192,11 @@ In this security model, you can grant access to your cluster's resources to team
188192
az identity create -g <resource-group> -n <identity-name>
189193
az vmss identity assign -g <resource-group> -n <agent-pool-vmss> --identities <identity-resource-id>
190194
az vm identity assign -g <resource-group> -n <agent-pool-vm> --identities <identity-resource-id>
195+
196+
az identity show -g <resource-group> --name <identity-name> --query 'clientId' -o tsv
191197
```
192198
193-
2. Create a role assignment that grants the identity permission access to the key vault secrets, access keys, and certificates using the [`az role assignment create`][az-role-assignment-create] command.
199+
2. Create a role assignment that grants the identity permission access to the key vault secrets, access keys, and certificates using the [`az role assignment create`][az-role-assignment-create] command.
194200
195201
```azurecli-interactive
196202
export IDENTITY_OBJECT_ID="$(az identity show -g <resource-group> --name <identity-name> --query 'principalId' -o tsv)"
@@ -230,6 +236,9 @@ In this security model, you can grant access to your cluster's resources to team
230236
231237
> [!NOTE]
232238
> If you use `objectAlias` instead of `objectName`, make sure to update the YAML script.
239+
240+
> [!NOTE]
241+
> In order for the `SecretProviderClass` to function properly, make sure to populate your Azure Key Vault with secrets, keys, or certificates before referencing them in the `objects` section.
233242
234243
4. Apply the `SecretProviderClass` to your cluster using the `kubectl apply` command.
235244

0 commit comments

Comments
 (0)