Merge branch 'user/junbchen/saWorkloadIdentity' of https://github.com/RichardChen820/azure-docs-pr into user/junbchen/saWorkloadIdentity

RichardChen820 · RichardChen820 · commit 6d11c870e4d3 · 2024-09-03T16:56:14.000+08:00
diff --git a/articles/azure-app-configuration/quickstart-azure-kubernetes-service.md b/articles/azure-app-configuration/quickstart-azure-kubernetes-service.md
@@ -245,6 +245,30 @@ Add following key-values to the App Configuration store and leave **Label** and
     > [!TIP]
     > The App Configuration Kubernetes Provider is also available as an AKS extension. This integration allows for seamless installation and management via the Azure CLI, ARM templates, or Bicep templates. Utilizing the AKS extension facilitates automatic minor/patch version updates, ensuring your system is always up-to-date. For detailed installation instructions, please refer to the [Azure App Configuration extension for Azure Kubernetes Service](/azure/aks/azure-app-configuration).
 
+1. Follow the step 1-4 in [using workload identity](./reference-kubernetes-provider.md#use-workload-identity) and note down the client ID, tenant ID, resource group and name of the managed identity, the OIDC issuer URL of the AKS cluster, you will use them in the following steps.
+
+1. Add a *serviceaccount.yaml* file to the *Deployment* directory with the following content to create a service account for the application.
+
+    ```yaml
+    apiVersion: v1
+    kind: ServiceAccount
+    metadata:
+      name: aspnetapp-demo-service-account
+      annotations:
+        azure.workload.identity/client-id: <your-managed-identity-client-id>
+        azure.workload.identity/tenant-id: <your-tenant-id>
+    ```
+
+    Replace the value of the `azure.workload.identity/client-id` and `azure.workload.identity/tenant-id` fields with the client ID and tenant ID of the managed identity you created in the previous step.
+
+1. Create federated credentials for the service account by running the following command:
+   
+    ```azurecli
+     az identity federated-credential create --name "federated-credential-demo" --identity-name <identity-name> --resource-group  <resource-group> --issuer <OIDC-issuer> --subject system:serviceaccount:default:aspnetapp-demo-service-account --audience api://AzureADTokenExchange
+    ```
+
+    Replace the value of the `identity-name`, `resource-group` fields with the name, resource group of your managed identity created in the previous step. Replace the value of the `OIDC-issuer` field with the OIDC issuer URL of your AKS cluster. 
+
 1. Add an *appConfigurationProvider.yaml* file to the *Deployment* directory with the following content to create an `AzureAppConfigurationProvider` resource. `AzureAppConfigurationProvider` is a custom resource that defines what data to download from an Azure App Configuration store and creates a ConfigMap.
    
     ```yaml
diff --git a/articles/azure-app-configuration/reference-kubernetes-provider.md b/articles/azure-app-configuration/reference-kubernetes-provider.md
@@ -163,6 +163,7 @@ The `spec.featureFlag.refresh` property has the following child properties.
 
 Use the following `helm install` command to install the Azure App Configuration Kubernetes Provider. See [helm-values.yaml](https://github.com/Azure/AppConfiguration-KubernetesProvider/blob/main/deploy/parameter/helm-values.yaml) for the complete list of parameters and their default values. You can override the default values by passing the `--set` flag to the command.
 
+
 ```bash
 helm install azureappconfiguration.kubernetesprovider \
     oci://mcr.microsoft.com/azure-app-configuration/helmchart/kubernetes-provider \
