Skip to content

Commit 7707711

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #228782 from schaffererin/akv-aks-secrets
Incorporating feedback
2 parents 7c6e41a + b10fa67 commit 7707711

File tree

1 file changed

+9
-3
lines changed

1 file changed

+9
-3
lines changed

articles/aks/csi-secrets-store-identity-access.md

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@ description: Learn about the various methods that you can use to allow the Azure
44
author: nickomang
55
ms.author: nickoman
66
ms.topic: article
7-
ms.date: 01/31/2023
7+
ms.date: 02/27/2023
88
ms.custom: devx-track-azurecli
99
---
1010

@@ -42,7 +42,7 @@ Azure AD workload identity (preview) is supported on both Windows and Linux clus
4242
az account set --subscription $subscriptionID
4343
az identity create --name $UAMI --resource-group $resourceGroupName
4444
export USER_ASSIGNED_CLIENT_ID="$(az identity show -g $resourceGroupName --name $UAMI --query 'clientId' -o tsv)"
45-
export IDENTITY_TENANT=$(az aks show --name $clusterName --resource-group $resourceGroupName --query aadProfile.tenantId -o tsv)
45+
export IDENTITY_TENANT=$(az aks show --name $clusterName --resource-group $resourceGroupName --query identity.tenantId -o tsv)
4646
```
4747
4848
2. You need to set an access policy that grants the workload identity permission to access the Key Vault secrets, access keys, and certificates. The rights are assigned using the `az keyvault set-policy` command shown below.
@@ -120,10 +120,13 @@ Azure AD workload identity (preview) is supported on both Windows and Linux clus
120120
EOF
121121
```
122122
123+
> [!NOTE]
124+
> If you use `objectAlias` instead of `objectName`, make sure to update the YAML script.
125+
123126
6. Deploy a sample pod. Notice the service account reference in the pod definition:
124127
125128
```bash
126-
cat <<EOF | kubectl -n $serviceAccountNamespace -f -
129+
cat <<EOF | kubectl apply -f -
127130
# This is a sample pod definition for using SecretProviderClass and the user-assigned identity to access your key vault
128131
kind: Pod
129132
apiVersion: v1
@@ -207,6 +210,9 @@ Azure AD workload identity (preview) is supported on both Windows and Linux clus
207210
tenantId: <tenant-id> # The tenant ID of the key vault
208211
```
209212
213+
> [!NOTE]
214+
> If you use `objectAlias` instead of `objectName`, make sure to update the YAML script.
215+
210216
1. Apply the `SecretProviderClass` to your cluster:
211217
212218
```bash

0 commit comments

Comments
 (0)