GA: Azure Active Directory workload identity with AKS
Published date: April 18, 2023
In Azure Kubernetes Service (AKS) today, a preview feature allows you to assign managed identities at the pod-level. This pod-managed identity allows the hosted workload or application access to resources through Azure Active Directory (Azure AD). For example, a workload stores files in Azure Storage, and when it needs to access those files, the pod authenticates itself against the resource as an Azure managed identity.
This authentication method is now replaced with Azure Active Directory (Azure AD) workload identities, which integrate with the Kubernetes native capabilities to federate with any external identity providers. This approach is simpler to use and deploy, and overcomes several limitations in Azure AD pod-managed identity:
- Removes the scale and performance issues that existed for identity assignment
- Supports Kubernetes clusters hosted in any cloud or on-premises
- Supports both Linux and Windows workloads
- Removes the need for Custom Resource Definitions and pods that intercept Azure Instance Metadata Service (IMDS) traffic
- Avoids the complicated and error-prone installation steps such as cluster role assignment from the previous iteration
Azure AD workload identity works especially well with the Azure Identity client library using the Azure SDK and the Microsoft Authentication Library (MSAL) if you're using application registration. Your workload can use any of these libraries to seamlessly authenticate and access Azure cloud resources.
Learn more: https://aka.ms/aks/workloadidentity