Merge pull request #274351 from wchigit/add-aks-cli

Add CLI docs for AKS service connector support

Author: PMEds28

.openpublishing.redirection.json

@@ -4000,11 +4000,6 @@
             "redirect_url":"/azure/reliability/reliability-containers",
             "redirect_document_id":false 
         },
-		{
-			"source_path_from_root":"/articles/service-connector/quickstart-cli-aks-connection.md",
-			"redirect_url":"/azure/service-connector/quickstart-portal-aks-connection",
-			"redirect_document_id":false
-		},
         {
             "source_path_from_root":"/articles/aks/generation-2-vm-windows.md",
             "redirect_url":"/azure/aks/generation-2-vm",

articles/service-connector/quickstart-cli-aks-connection.md

@@ -0,0 +1,106 @@
+---
+title: Quickstart - Create a service connection in Azure Kubernetes Service (AKS) with the Azure CLI
+description: Quickstart showing how to create a service connection in Azure Kubernetes Service (AKS) with the Azure CLI
+author: houk-ms
+ms.author: honc
+ms.service: service-connector
+ms.topic: quickstart
+ms.date: 05/06/2024
+ms.devlang: azurecli
+ms.custom: devx-track-azurecli
+---
+# Quickstart: Create a service connection in AKS cluster with the Azure CLI
+
+This quickstart shows you how to connect Azure Kubernetes Service (AKS) to other Cloud resources using Azure CLI and Service Connector. Service Connector lets you quickly connect compute services to cloud services, while managing your connection's authentication and networking settings.
+
+[!INCLUDE [quickstarts-free-trial-note](../../includes/quickstarts-free-trial-note.md)]
+
+[!INCLUDE [azure-cli-prepare-your-environment.md](~/reusable-content/azure-cli/azure-cli-prepare-your-environment.md)]
+
+* This quickstart requires version 2.30.0 or higher of the Azure CLI. If using Azure Cloud Shell, the latest version is already installed.
+* This quickstart assumes that you already have an AKS cluster. If you don't have one yet, [create an AKS cluster](../aks/learn/quick-kubernetes-deploy-cli.md).
+* This quickstart assumes that you already have an Azure Storage account. If you don't have one yet, [create an Azure Storage account](../storage/common/storage-account-create.md).
+
+## Initial set-up
+
+1. If you're using Service Connector for the first time, start by running the command [az provider register](/cli/azure/provider#az-provider-register) to register the Service Connector resource provider.
+
+   ```azurecli
+   az provider register -n Microsoft.ServiceLinker
+   ```
+
+   > [!TIP]
+   > You can check if the resource provider has already been registered by running the command  `az provider show -n "Microsoft.ServiceLinker" --query registrationState`. If the output is `Registered`, then Service Connector has already been registered.
+
+1. Optionally, use the Azure CLI command to get a list of supported target services for AKS cluster.
+
+   ```azurecli
+   az aks connection list-support-types --output table
+   ```
+
+## Create a service connection
+
+### [Using an access key](#tab/Using-access-key)
+
+Run the following Azure CLI command to create a service connection to an Azure Blob Storage with an access key, providing the following information.
+
+```azurecli
+az aks connection create storage-blob --secret
+```
+
+Provide the following information as prompted:
+
+* **Source compute service resource group name:** the resource group name of the AKS cluster.
+* **AKS cluster name:** the name of your AKS cluster that connects to the target service.
+* **Target service resource group name:** the resource group name of the Blob Storage.
+* **Storage account name:** the account name of your Blob Storage.
+
+> [!NOTE]
+> If you don't have a Blob Storage, you can run `az aks connection create storage-blob --new --secret` to provision a new one and directly get connected to your aks cluster.
+
+### [Using a workload identity](#tab/Using-Managed-Identity)
+
+> [!IMPORTANT]
+> Using Managed Identity requires you have the permission to [Microsoft Entra ID role assignment](../active-directory/managed-identities-azure-resources/howto-assign-access-portal.md). If you don't have the permission, your connection creation will fail. You can ask your subscription owner for the permission or use an access key to create the connection.
+
+Use the Azure CLI command to create a service connection to a Blob Storage with a workload identity, providing the following information:
+
+* **Source compute service resource group name:** the resource group name of the AKS cluster.
+* **AKS cluster name:** the name of your AKS cluster that connects to the target service.
+* **Target service resource group name:** the resource group name of the Blob Storage.
+* **Storage account name:** the account name of your Blob Storage.
+* **User-assigned identity resource ID:** the resource ID of the user assigned identity that is used to create workload identity
+
+```azurecli
+az aks connection create storage-blob \
+    --workload-identity <user-identity-resource-id>
+```
+
+> [!NOTE]
+> If you don't have a Blob Storage, you can run `az aks connection create storage-blob --new --workload-identity <user-identity-resource-id>"` to provision a new one and get connected to your function app straightaway.
+
+---
+
+## View connections
+
+Use the Azure CLI [az aks connection list](/cli/azure/functionapp/connection#az-functionapp-connection-list) command to list connections to your AKS Cluster, providing the following information:
+
+* **Source compute service resource group name:** the resource group name of the AKS cluster.
+* **AKS cluster name:** the name of your AKS cluster that connects to the target service.
+
+```azurecli
+az aks connection list \
+    -g "<your-aks-cluster-resource-group>" \
+    -n "<your-aks-cluster-name>" \
+    --output table
+```
+
+## Next steps
+
+Go to the following tutorials to start connecting AKS cluster to Azure services with Service Connector.
+
+> [!div class="nextstepaction"]
+> [Tutorial: Connect to Azure Key Vault using CSI driver](./tutorial-python-aks-keyvault-csi-driver.md)
+
+> [!div class="nextstepaction"]
+> [Tutorial: Connect to Azure Storage using workload identity](./tutorial-python-aks-storage-workload-identity.md)

articles/service-connector/toc.yml

@@ -37,6 +37,8 @@ items:
       items: 
         - name: Azure portal
           href: quickstart-portal-aks-connection.md
+        - name: Azure CLI
+          href: quickstart-cli-aks-connection.md
     - name: Azure Spring Apps
       expanded: false
       items: 

articles/service-connector/tutorial-python-aks-keyvault-csi-driver.md

@@ -78,7 +78,9 @@ Learn how to connect to Azure Key Vault using CSI driver in an Azure Kubernetes
 
 ## Create a service connection in AKS with Service Connector (preview)
 
-Create a service connection between an AKS cluster and an Azure Key Vault using the Azure portal.
+Create a service connection between an AKS cluster and an Azure Key Vault using the Azure portal or the Azure CLI.
+
+### [Portal](#tab/azure-portal)
 
 1. Open your **Kubernetes service** in the Azure portal and select **Service Connector** from the left menu.
 
@@ -97,6 +99,21 @@ Create a service connection between an AKS cluster and an Azure Key Vault using
 
     :::image type="content" source="./media/aks-tutorial/kubernetes-resources.png" alt-text="Screenshot of the Azure portal, viewing kubernetes resources created by Service Connector.":::
 
+### [Azure CLI](#tab/azure-cli)
+
+Run the following Azure CLI command to create a service connection to an Azure Key Vault.
+
+```azurecli
+az aks connection create keyvault --enable-csi
+```
+
+Provide the following information as prompted:
+
+* **Source compute service resource group name:** the resource group name of the AKS cluster.
+* **AKS cluster name:** the name of your AKS cluster that connects to the target service.
+* **Target service resource group name:** the resource group name of the Azure Key Vault.
+* **Key vault name:** the Azure Key Vault that is connected.
+
 ---
 
 ## Test the connection

articles/service-connector/tutorial-python-aks-storage-workload-identity.md

@@ -97,7 +97,9 @@ Learn how to create a pod in an AKS cluster, which talks to an Azure storage acc
 
 ## Create service connection with Service Connector (preview)
 
-Create a service connection between an AKS cluster and an Azure storage account using the Azure portal.
+Create a service connection between an AKS cluster and an Azure storage account using the Azure portal or the Azure CLI.
+
+### [Portal](#tab/azure-portal)
 
 1. Open your **Kubernetes service** in the Azure portal and select **Service Connector** from the left menu.
 
@@ -122,8 +124,25 @@ Create a service connection between an AKS cluster and an Azure storage account
     | **User assigned managed identity** | `<MyIdentity>`      | A user assigned managed identity is needed to enable workload identity. |
 
 1. Once the connection has been created, the Service Connector page displays information about the new connection.
+    :::image type="content" source="./media/aks-tutorial/kubernetes-resources.png" alt-text="Screenshot of the Azure portal, viewing kubernetes resources created by Service Connector.":::
+
+
+### [Azure CLI](#tab/azure-cli)
+
+Run the following Azure CLI command to create a service connection to the Azure storage account, providing the following information:
+
+```azurecli
+az aks connection create storage-blob \
+    --workload-identity <user-identity-resource-id>
+```
+
+Provide the following information as prompted:
 
-:::image type="content" source="./media/aks-tutorial/kubernetes-resources.png" alt-text="Screenshot of the Azure portal, viewing kubernetes resources created by Service Connector.":::
+* **Source compute service resource group name:** the resource group name of the AKS cluster.
+* **AKS cluster name:** the name of your AKS cluster that connects to the target service.
+* **Target service resource group name:** the resource group name of the Azure storage account.
+* **Storage account name:** the Azure storage account that is connected.
+* **User-assigned identity resource ID:** the resource ID of the user-assigned identity used to create the workload identity.
 
 ---