Update with new sample app

Author: pauldotyu

articles/aks/workload-identity-cross-tenant.md

@@ -10,23 +10,35 @@ ms.author: schaffererin
 
 # Configure cross-tenant workload identity on Azure Kubernetes Service (AKS)
 
-In this article, you learn how to configure cross-tenant workload identity on Azure Kubernetes Service (AKS). Cross-tenant workload identity allows you to access resources in another tenant from your AKS cluster.
+In this article, you learn how to configure cross-tenant workload identity on Azure Kubernetes Service (AKS). Cross-tenant workload identity allows you to access resources in another tenant from your AKS cluster. In this example, you will create an Azure Service Bus in one tenant and send messages to it from a workload running in an AKS cluster in another tenant.
 
 For more information on workload identity, see the [Workload identity overview][workload-identity-overview].
 
 ## Prerequisites
 
 * ***Two Azure subscriptions***, each in a separate tenant. In this article, we refer to these as *Tenant A* and *Tenant B*.
 * Azure CLI installed on your local machine. If you don't have the Azure CLI installed, see [Install the Azure CLI][install-azure-cli].
-* X
-* Y
-* Z
+* Bash shell environment. This article uses Bash shell syntax.
+
+In order to complete the steps in this article, you need to have the following information:
+
+* *Tenant A* tenant ID
+* *Tenant A* subscription ID
+* *Tenant B* tenant ID
+* *Tenant B* subscription ID
 
 ## Configure resources in Tenant A
 
 In *Tenant A*, you create an AKS cluster with workload identity and OIDC issuer enabled. You use this cluster to deploy an application that attempts to access resources in *Tenant B*.
 
-1. Log in to your *Tenant A* subscription using the [`az account set`][az-account-set] command.
+1. Log into your *Tenant A* subscription using the [`az login`][az-login-interactively] command and pass in the tenant ID of *Tenant A*.
+
+    ```azurecli-interactive
+    TENANT_A_ID=<tenant-id>
+    az login --tenant $TENANT_A_ID
+    ```
+
+1. Ensure you are working with the correct subscription in *Tenant A* by using the [`az account set`][az-account-set] command.
 
     ```azurecli-interactive
     # Set environment variable
@@ -36,7 +48,7 @@ In *Tenant A*, you create an AKS cluster with workload identity and OIDC issuer
     az account set --subscription $TENANT_A_SUBSCRIPTION_ID
     ```
 
-2. Create a resource group in *Tenant A* to host the AKS cluster using the [`az group create`][az-group-create] command.
+1. Create a resource group in *Tenant A* to host the AKS cluster using the [`az group create`][az-group-create] command.
 
     ```azurecli-interactive
     # Set environment variables
@@ -47,27 +59,45 @@ In *Tenant A*, you create an AKS cluster with workload identity and OIDC issuer
     az group create --name $RESOURCE_GROUP --location $LOCATION
     ```
 
-3. Create an AKS cluster in *Tenant A* with workload identity and OIDC issuer enabled using the [`az aks create`][az-aks-create] command.
+1. Create an AKS cluster in *Tenant A* with workload identity and OIDC issuer enabled using the [`az aks create`][az-aks-create] command.
 
     ```azurecli-interactive
     # Set environment variables
     CLUSTER_NAME=<cluster-name>
 
     # Create an AKS cluster
-    az aks create --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --enable-oidc-issuer --enable-workload-identity --generate-ssh-keys
+    az aks create \
+      --resource-group $RESOURCE_GROUP \
+      --name $CLUSTER_NAME \
+      --enable-oidc-issuer \
+      --enable-workload-identity \
+      --generate-ssh-keys
     ```
 
-4. Get the OIDC issuer URL from the cluster in *Tenant A* using the [`az aks show`][az-aks-show] command.
+1. Get the OIDC issuer URL from the cluster in *Tenant A* using the [`az aks show`][az-aks-show] command.
 
     ```azurecli-interactive
     OIDC_ISSUER_URL=$(az aks show --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME --query "oidcIssuerProfile.issuerUrl" --output tsv)
     ```
 
 ## Configure resources in Tenant B
 
-In *Tenant B*, you create a managed identity, assign it permissions to read subscription information, and establish the trust between the managed identity and the AKS cluster in *Tenant A*.
+In *Tenant B*, you create an Azure Service Bus, a managed identity and assign it permissions to read and write messages to the service bus, and establish the trust between the managed identity and the AKS cluster in *Tenant A*.
+
+1. Log out of your *Tenant A* subscription using the [`az logout`][az-logout] command.
+
+    ```azurecli-interactive
+    az logout
+    ```
+
+1. Log into your *Tenant B* subscription using the [`az login`][az-login-interactively] command and pass in the tenant ID of *Tenant B*.
+
+    ```azurecli-interactive
+    TENANT_B_ID=<tenant-id>
+    az login --tenant $TENANT_B_ID
+    ```
 
-1. Log in to your *Tenant B* subscription using the [`az account set`][az-account-set] command.
+1. Ensure you are working with the correct subscription in *Tenant A* by using the [`az account set`][az-account-set] command.
 
     ```azurecli-interactive
     # Set environment variable
@@ -77,7 +107,7 @@ In *Tenant B*, you create a managed identity, assign it permissions to read subs
     az account set --subscription $TENANT_B_SUBSCRIPTION_ID
     ```
 
-2. Create a resource group in *Tenant B* to host the managed identity using the [`az group create`][az-group-create] command.
+1. Create a resource group in *Tenant B* to host the managed identity using the [`az group create`][az-group-create] command.
 
     ```azurecli-interactive
     # Set environment variables
@@ -87,33 +117,75 @@ In *Tenant B*, you create a managed identity, assign it permissions to read subs
     # Create a resource group
     az group create --name $RESOURCE_GROUP --location $LOCATION
     ```
+1. Create a service bus and queue in *Tenant B* using the [`az servicebus namespace create`][az-servicebus-namespace-create] and [`az servicebus queue create`][az-servicebus-queue-create] commands.
 
-3. Create a user-assigned managed identity in *Tenant B* using the [`az identity create`][az-identity-create] command.
+    ```azurecli-interactive
+    # Set a unique name for the servicebus
+    SERVICEBUS_NAME=sb-crosstenantdemo-$RANDOM
+
+    # Create a new service bus namespace and and return the service bus hostname
+    SERVICEBUS_HOSTNAME=$(az servicebus namespace create \
+    --name $SERVICEBUS_NAME \
+    --resource-group $RESOURCE_GROUP \
+    --disable-local-auth \
+    --query serviceBusEndpoint \
+    --output tsv | sed -e 's/https:\/\///' -e 's/:443\///')
+
+    # Create a new queue in the service bus namespace
+    az servicebus queue create \
+    --name myqueue \
+    --namespace $SERVICEBUS_NAME \
+    --resource-group $RESOURCE_GROUP
+    ```
+
+1. Create a user-assigned managed identity in *Tenant B* using the [`az identity create`][az-identity-create] command.
 
     ```azurecli-interactive
-    # Set environment variable
-    IDENTITY_NAME=<identity-name>
+    # Set user-assigned managed identity name
+    IDENTITY_NAME=${SERVICEBUS_NAME}-identity
 
     # Create a user-assigned managed identity
     az identity create --resource-group $RESOURCE_GROUP --name $IDENTITY_NAME
     ```
+1. Get the principal ID of the managed identity in *Tenant B* using the [`az identity show`][az-identity-show] command.
 
-4. Get the client ID of the managed identity in *Tenant B* using the [`az identity show`][az-identity-show] command.
+    ```azurecli-interactive
+    # Get the user-assigned managed identity principalId
+    PRINCIPAL_ID=$(az identity show \
+      --resource-group $RESOURCE_GROUP \
+      --name $IDENTITY_NAME \
+      --query principalId \
+      --output tsv)
+    ```
+
+1. Get the client ID of the managed identity in *Tenant B* using the [`az identity show`][az-identity-show] command.
 
     ```azurecli-interactive
-    CLIENT_ID=$(az identity show --resource-group $RESOURCE_GROUP --name $IDENTITY_NAME --query clientId --output tsv)
+    CLIENT_ID=$(az identity show \
+      --resource-group $RESOURCE_GROUP \
+      --name $IDENTITY_NAME \
+      --query clientId \
+      --output tsv)
     ```
 
-5. Get the principal ID of the managed identity in *Tenant B* using the [`az identity show`][az-identity-show] command.
+1. Get the resource ID of the service bus namespace in *Tenant B* using the [`az servicebus namespace show`][az-servicebus-namespace-show] command.
 
     ```azurecli-interactive
-    PRINCIPAL_ID=$(az identity show --resource-group $RESOURCE_GROUP --name $IDENTITY_NAME --query principalId --output tsv)
+    SERVICEBUS_ID=$(az servicebus namespace show \
+      --name $SERVICEBUS_NAME \
+      --resource-group $RESOURCE_GROUP \
+      --query id \
+      --output tsv)
     ```
 
-6. Assign the managed identity in *Tenant B* permissions to read subscription information using the [`az role assignment create`][az-role-assignment-create] command.
+6. Assign the managed identity in *Tenant B* permissions to read and write service bus messages using the [`az role assignment create`][az-role-assignment-create] command.
 
     ```azurecli-interactive
-    az role assignment create --role "Reader" --assignee $PRINCIPAL_ID --scope /subscriptions/$TENANT_A_SUBSCRIPTION_ID
+    az role assignment create \
+      --role "Azure Service Bus Data Owner" \
+      --assignee-object-id $PRINCIPAL_ID \
+      --assignee-principal-type ServicePrincipal \
+      --scope $SERVICEBUS_ID
     ```
 
 ## Establish trust between AKS cluster and managed identity
@@ -123,121 +195,115 @@ In this section, you create the federated identity credential needed to establis
 * Create a federated identity credential using the [`az aks federated-identity add`][az-aks-federated-identity-add] command.
 
     ```azurecli-interactive
-    az identity federated-credential create --name $FEDERATED_CREDENTIAL_NAME --identity-name $IDENTITY_NAME --resource-group $RESOURCE_GROUP --issuer $OIDC_ISSUER_URL --subject system:serviceaccount:default:wi-demo-account
+    az identity federated-credential create \
+      --name $IDENTITY_NAME-$RANDOM \
+      --identity-name $IDENTITY_NAME \
+      --resource-group $RESOURCE_GROUP \
+      --issuer $OIDC_ISSUER_URL \
+      --subject system:serviceaccount:default:myserviceaccount
     ```
 
-`--subject system:serviceaccount:default:wi-demo-account` is the name of the Kubernetes service account that you will create later in *Tenant A*. When your application pod makes authentication requests, this value is sent to Azure AD as the `subject` in the authorization request. Azure AD determines eligibility based on whether this value matches what you set when you created the federated identity credential, so it's important to ensure the value matches.
-
-## Create application to read subscription information
-
-XYZ
-
-## Test application
-
-Before you deploy the application to your AKS cluster, you test the application locally to make sure it works. Since your application will read subscription quota information using [Azure Quota API](/rest/api/reserved-vm-instances/quotaapi), you also need to make sure the `Microsoft.Quota` resource provider is registered in your subscription.
-
-1. Log in to either *Tenant A* or *Tenant B* using the [`az account set`][az-account-set] command.
-
-    ```azurecli-interactive
-    az account set --subscription $TENANT_A_SUBSCRIPTION_ID
-    ```
+`--subject system:serviceaccount:default:myserviceaccount` is the name of the Kubernetes service account that you will create later in *Tenant A*. When your application pod makes authentication requests, this value is sent to Microsoft Entra ID as the `subject` in the authorization request. Microsoft Entra ID determines eligibility based on whether this value matches what you set when you created the federated identity credential, so it's important to ensure the value matches.
 
-2. Check if the `Microsoft.Quota` resource provider is registered in your subscription using the [`az provider show`][az-provider-show] command.
+## Deploy application to send messages to Azure Service Bus queue
 
-    ```azurecli-interactive
-    az provider show --namespace Microsoft.Quota
-    ```
+In this section, you deploy an application to your AKS cluster in *Tenant A* that sends messages to the Azure Service Bus queue in *Tenant B*.
 
-    If the `registrationState` is `Registered`, the resource provider is registered. If it's not registered, you can register it using the [`az provider register`][az-provider-register] command.
+1. Log out of your *Tenant B* subscription using the [`az logout`][az-logout] command.
 
     ```azurecli-interactive
-    az provider register --namespace Microsoft.Quota
+    az logout
     ```
 
-3. Once the registration state is `Registered`, you can test the application locally using the following commands:
+1. Log into your *Tenant A* subscription using the [`az login`][az-login-interactively] command and pass in the tenant ID of *Tenant A*.
 
     ```azurecli-interactive
-    XYZ
+    az login --tenant $TENANT_A_ID
     ```
 
-## Deploy application to AKS cluster
-
-Now that you confirmed the application works locally, you can push it to a container registry so that it can be pulled from within your AKS cluster.
-
-1. XYZ
+1. Ensure you are working with the correct subscription in *Tenant A* by using the [`az account set`][az-account-set] command.
 
     ```azurecli-interactive
-    XYZ
+    az account set --subscription $TENANT_A_SUBSCRIPTION_ID
     ```
 
-2. Get the cluster credentials for the AKS cluster in *Tenant A* using the [`az aks get-credentials`][az-aks-get-credentials] command.
+1. Get the cluster credentials for the AKS cluster in *Tenant A* using the [`az aks get-credentials`][az-aks-get-credentials] command.
 
     ```azurecli-interactive
     az aks get-credentials --resource-group $RESOURCE_GROUP --name $CLUSTER_NAME
     ```
 
-3. Create a new Kubernetes service account in the `default` namespace with the client ID of your managed identity using the `kubectl apply` command. Make sure to replace the `<YOUR_USER_ASSIGNED_MANAGED_IDENTITY>` placeholder with the client ID of your managed identity in *Tenant B*.
+1. Create a new Kubernetes ServiceAccount in the `default` namespace and pass in the client ID of your managed identity in *Tenant B* to the `kubectl apply` command. The client ID is used to authenticate the pod to the Azure Service Bus.
 
     ```azurecli-interactive
     kubectl apply -f - <<EOF
     apiVersion: v1
     kind: ServiceAccount
     metadata:
       annotations:
-        azure.workload.identity/client-id: <YOUR_USER_ASSIGNED_MANAGED_IDENTITY_CLIENT_ID>
-      name: wi-demo-account
-      namespace: default
+        azure.workload.identity/client-id: $CLIENT_ID
+      name: myserviceaccount
     EOF
     ```
 
-4. Create a new pod in the `default` namespace with the image name, the *Tenant B* tenant ID, and the *Tenant B* subscription ID using the `kubectl apply` command. Make sure to replace the placeholders with your own values.
+4. Create a new Kubernetes Job in the `default` namespace to send 100 messages to your Azure Service Bus queue. The Pod template is configured to use workload identity and the service account you created in the previous step. Also note that the `AZURE_TENANT_ID` environment variable is set to the tenant ID of *Tenant B*. This is required as workload identity defaults to the tenant of the AKS cluster, so you need to explicitly set the tenant ID of *Tenant B*.
 
     ```azurecli-interactive
     kubectl apply -f - <<EOF
-    apiVersion: v1
-    kind: Pod
+    apiVersion: batch/v1
+    kind: Job
     metadata:
-      name: wi-demo-app
-      namespace: default
-      labels:
-        azure.workload.identity/use: "true"
+      name: myproducer
     spec:
-      serviceAccountName: wi-demo-account
-      containers:
-      - name: wi-demo-app
-        image: <YOUR_IMAGE_NAME>
-        env:
-        - name: AZURE_TENANT_ID
-          value: <TENANT_B_ID>
-        - name: AZURE_SUBSCRIPTION_ID
-          value: <TENANT_B_SUBSCRIPTION_ID>
-        - name: AZURE_REGION
-          value: eastus
-        - name: AZURE_RESOURCE_NAME
-          value: cores
-        resources: {}
-      dnsPolicy: ClusterFirst
-      restartPolicy: Always
+      template:
+        metadata:
+          labels:
+            azure.workload.identity/use: "true"
+        spec:
+          serviceAccountName: myserviceaccount
+          containers:
+          - image: ghcr.io/azure-samples/aks-app-samples/servicebusdemo:latest
+            name: myproducer
+            resources: {}
+            env:
+            - name: OPERATION_MODE
+              value: "producer"
+            - name: MESSAGE_COUNT
+              value: "100"
+            - name: AZURE_SERVICEBUS_QUEUE_NAME
+              value: myqueue
+            - name: AZURE_SERVICEBUS_HOSTNAME
+              value: $SERVICEBUS_HOSTNAME
+            - name: AZURE_TENANT_ID
+              value: $TENANT_B_ID
+          restartPolicy: Never
     EOF
     ```
 
-5. Verify that the pod is running using the `kubectl get pods` command.
+5. Verify that the pod is configured correctly to interact with the Azure Service Bus queue in *Tenant B* by checking the status of the pod using the `kubectl describe pod` command.
 
     ```azurecli-interactive
-    kubectl get pods
+    # Get the dynamically generated pod name
+    POD_NAME=$(kubectl get po --selector job-name=myproducer -o jsonpath='{.items[0].metadata.name}')
+    
+    # Get the tenant ID environment variable
+    kubectl describe pod $POD_NAME | grep AZURE_TENANT_ID
     ```
 
-6. Check the logs of the pod to see if the application was able to read subscription information using the `kubectl logs` command.
+6. Check the logs of the pod to see if the application was able to send messages across tenants using the `kubectl logs` command.
 
     ```azurecli-interactive
-    kubectl logs wi-demo-app
+    kubectl logs $POD_NAME
     ```
 
     Your output should look similar to the following example output:
 
     ```output
-    2023/08/24 17:48:03 clientResponse: {"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Compute/locations/eastus/providers/Microsoft.Quota/quotas/cores","name":"cores","properties":{"isQuotaApplicable":true,"limit":{"limitObjectType":"LimitValue","limitType":"Independent","value":20},"name":{"localizedValue":"Total Regional vCPUs","value":"cores"},"properties":{},"unit":"Count"},"type":"Microsoft.Quota/Quotas"}
-    2023/08/24 17:48:04 usagesClientResponse: {"id":"/subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Compute/locations/eastus/providers/Microsoft.Quota/usages/cores","name":"cores","properties":{"isQuotaApplicable":true,"name":{"localizedValue":"Total Regional vCPUs","value":"cores"},"properties":{},"unit":"Count","usages":{}},"type":"Microsoft.Quota/Usages"}
+    ...
+    Adding message to batch: Hello World!
+    Adding message to batch: Hello World!
+    Adding message to batch: Hello World!
+    Sent 100 messages
     ```
 
 ## Next steps
@@ -251,6 +317,8 @@ In this article, you learned how to configure cross-tenant workload identity on
 [workload-identity-overview]: ./workload-identity-overview.md
 [configure-workload-identity]: ./workload-identity-deploy-cluster.md
 [install-azure-cli]: /cli/azure/install-azure-cli
+[az-login-interactively]: cli/azure/authenticate-azure-cli-interactively#interactive-login
+[az-logout]: cli/azure/authenticate-azure-cli-interactively#logout
 [az-account-set]: /cli/azure/account#az_account_set
 [az-group-create]: /cli/azure/group#az_group_create
 [az-aks-create]: /cli/azure/aks#az_aks_create
@@ -262,3 +330,6 @@ In this article, you learned how to configure cross-tenant workload identity on
 [az-provider-show]: /cli/azure/provider#az_provider_show
 [az-provider-register]: /cli/azure/provider#az_provider_register
 [az-aks-get-credentials]: /cli/azure/aks#az_aks_get_credentials
+[az-servicebus-namespace-create]: cli/azure/servicebus/namespace?view=azure-cli-latest#az-servicebus-namespace-create
+[az-servicebus-namespace-show]: cli/azure/servicebus/namespace?view=azure-cli-latest#az-servicebus-namespace-show
+[az-servicebus-queue-create]: cli/azure/servicebus/queue?view=azure-cli-latest#az-servicebus-queue-create