Merge pull request #219107 from naioja/aj_azwi

v-regandowner · web-flow · commit 316c62c21e92 · 2022-11-22T14:11:26.000-05:00
Adding resource group to cluster creation and variables to "Create a managed identity and grant permissions to access Azure Key Vault" section
diff --git a/articles/aks/workload-identity-deploy-cluster.md b/articles/aks/workload-identity-deploy-cluster.md
@@ -67,6 +67,8 @@ az provider register --namespace Microsoft.ContainerService
 Create an AKS cluster using the [az aks create][az-aks-create] command with the `--enable-oidc-issuer` parameter to use the OIDC Issuer. The following example creates a cluster named *myAKSCluster* with one node in the *myResourceGroup*:
 
 ```azurecli-interactive
+az group create --name myResourceGroup --location eastus
+
 az aks create -g myResourceGroup -n myAKSCluster --node-count 1 --enable-oidc-issuer --enable-workload-identity --generate-ssh-keys
 ```
 
@@ -95,44 +97,49 @@ You can retrieve this information using the Azure CLI command: [az keyvault list
 1. Use the Azure CLI [az account set][az-account-set] command to set a specific subscription to be the current active subscription. Then use the [az identity create][az-identity-create] command to create a managed identity.
 
     ```azurecli
-    az account set --subscription "subscriptionID"
-    ```
+    export SUBSCRIPTION_ID="$(az account show --query id --output tsv)"
+    export USER_ASSIGNED_IDENTITY_NAME="myIdentity"
+    export RG_NAME="myResourceGroup"
+    export LOCATION="eastus"
 
-    ```azurecli
-    az identity create --name "userAssignedIdentityName" --resource-group "resourceGroupName" --location "location" --subscription "subscriptionID"
+    az identity create --name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RG_NAME}" --location "${LOCATION}" --subscription "${SUBSCRIPTION_ID}"
     ```
 
 2. Set an access policy for the managed identity to access secrets in your Key Vault by running the following commands:
 
-    ```bash
-    export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "resourceGroupName" --name "userAssignedIdentityName" --query 'clientId' -otsv)"
-    ```
-
     ```azurecli
-    az keyvault set-policy --name "keyVaultName" --secret-permissions get --spn "${USER_ASSIGNED_CLIENT_ID}"
+    export RG_NAME="myResourceGroup"
+    export USER_ASSIGNED_IDENTITY_NAME="myIdentity"
+    export KEYVAULT_NAME="myKeyVault"
+    export USER_ASSIGNED_CLIENT_ID="$(az identity show --resource-group "${RG_NAME}" --name "${USER_ASSIGNED_IDENTITY_NAME}" --query 'clientId' -otsv)"
+
+    az keyvault set-policy --name "${KEYVAULT_NAME}" --secret-permissions get --spn "${USER_ASSIGNED_CLIENT_ID}"
     ```
 
 ## Create Kubernetes service account
 
 Create a Kubernetes service account and annotate it with the client ID of the managed identity created in the previous step. Use the [az aks get-credentials][az-aks-get-credentials] command and replace the values for the cluster name and the resource group name.
 
 ```azurecli
-az aks get-credentials -n myAKSCluster -g MyResourceGroup
+az aks get-credentials -n myAKSCluster -g myResourceGroup
 ```
 
-Copy and paste the following multi-line input in the Azure CLI, and update the values for `serviceAccountName` and `serviceAccountNamespace` with the Kubernetes service account name and its namespace.
+Copy and paste the following multi-line input in the Azure CLI, and update the values for `SERVICE_ACCOUNT_NAME` and `SERVICE_ACCOUNT_NAMESPACE` with the Kubernetes service account name and its namespace.
 
 ```bash
+export SERVICE_ACCOUNT_NAME="workload-identity-sa"
+export SERVICE_ACCOUNT_NAMESPACE="my-namespace"
+
 cat <<EOF | kubectl apply -f -
 apiVersion: v1
 kind: ServiceAccount
 metadata:
   annotations:
-    azure.workload.identity/client-id: ${USER_ASSIGNED_CLIENT_ID}
+    azure.workload.identity/client-id: "${USER_ASSIGNED_CLIENT_ID}"
   labels:
     azure.workload.identity/use: "true"
-  name: serviceAccountName
-  namespace: serviceAccountNamspace
+  name: "${SERVICE_ACCOUNT_NAME}"
+  namespace: "${SERVICE_ACCOUNT_NAMESPACE}"
 EOF
 ```
 
@@ -144,10 +151,10 @@ Serviceaccount/workload-identity-sa created
 
 ## Establish federated identity credential
 
-Use the [az identity federated-credential create][az-identity-federated-credential-create] command to create the federated identity credential between the managed identity, the service account issuer, and the subject. Replace the values `resourceGroupName`, `userAssignedIdentityName`, `federatedIdentityName`, `serviceAccountNamespace`, and `serviceAccountName`.
+Use the [az identity federated-credential create][az-identity-federated-credential-create] command to create the federated identity credential between the managed identity, the service account issuer, and the subject.
 
 ```azurecli
-az identity federated-credential create --name federatedIdentityName --identity-name userAssignedIdentityName --resource-group resourceGroupName --issuer ${AKS_OIDC_ISSUER} --subject system:serviceaccount:serviceAccountNamespace:serviceAccountName
+az identity federated-credential create --name myfederatedIdentity --identity-name "${USER_ASSIGNED_IDENTITY_NAME}" --resource-group "${RG_NAME}" --issuer "${AKS_OIDC_ISSUER}" --subject system:serviceaccount:"${SERVICE_ACCOUNT_NAMESPACE}":"${SERVICE_ACCOUNT_NAME}"
 ```
 
 > [!NOTE]
