You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/aks/workload-identity-overview.md
+9-10Lines changed: 9 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -2,17 +2,19 @@
2
2
title: Use an Azure AD workload identities (preview) on Azure Kubernetes Service (AKS)
3
3
description: Learn about Azure Active Directory workload identity (preview) for Azure Kubernetes Service (AKS) and how to migrate your application to authenticate using this identity.
4
4
ms.topic: article
5
-
ms.date: 03/28/2023
5
+
ms.date: 04/18/2023
6
6
7
7
---
8
8
9
9
# Use Azure AD workload identity with Azure Kubernetes Service (AKS)
10
10
11
-
Azure AD Workload Identity leverages [Service Account Token Volume Projection](https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/#serviceaccount-token-volume-projection) giving pods the ability to use a Kubernetes identity (service account), to which a Kubernetes token is issued and [OIDC federation](https://kubernetes.io/docs/reference/access-authn-authz/authentication/#openid-connect-tokens) which enables Kubernetes applications to access Azure cloud resources securely with Azure Active Directory based on annotated service accounts.
11
+
Workloads deployed on an Azure Kubernetes Services (AKS) cluster require Azure Active Directory (Azure AD) application credentials or managed identities to access Azure AD protected resources, such as Azure Key Vault and Microsoft Graph. Azure AD workload identity integrates with the capabilities native to Kubernetes to federate with external identity providers.
12
+
13
+
[Azure AD workload identity][azure-ad-workload-identity] uses [Service Account Token Volume Projection][service-account-token-volume-projection] enabling pods to use a Kubernetes identity (that is, a service account). A Kubernetes token is issued and [OIDC federation][oidc-federation] enables Kubernetes applications to access Azure resources securely with Azure AD based on annotated service accounts.
12
14
13
15
Azure AD workload identity works especially well with the Azure Identity client library using the [Azure SDK][azure-sdk-download] and the [Microsoft Authentication Library][microsoft-authentication-library] (MSAL) if you're using [application registration][azure-ad-application-registration]. Your workload can use any of these libraries to seamlessly authenticate and access Azure cloud resources.
14
16
15
-
This article helps you understand this new authentication feature, and reviews the options available to plan your project strategy and potential migration from Pod Identity.
17
+
This article helps you understand this new authentication feature, and reviews the options available to plan your project strategy and potential migration from Azure AD pod-managed identity.
16
18
17
19
## Dependencies
18
20
@@ -68,7 +70,7 @@ The following diagram summarizes the authentication sequence using OpenID Connec
68
70
69
71
### Webhook Certificate Auto Rotation
70
72
71
-
Similar to other webhook addons, the certificate will be rotated by cluster certificate [auto rotation](https://learn.microsoft.com/azure/aks/certificate-rotation#certificate-auto-rotation) operation.
73
+
Similar to other webhook addons, the certificate will be rotated by cluster certificate [auto rotation][auto-rotation] operation.
72
74
73
75
## Service account labels and annotations
74
76
@@ -134,11 +136,11 @@ The following table summarizes our migration or deployment recommendations for w
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments