Skip to main content
Version: 1.3

Azure Workload Identity Setup

Azure Workload Identity allows your agent to authenticate with Azure services without storing credentials in your Kubernetes cluster. Instead of using stored secrets, it uses your AKS cluster's identity to securely access Azure resources. When to use this method:

You're running on AKS (Azure Kubernetes Service) You want enhanced security without managing secrets Your cluster has workload identity enabled

How it works: Your agent uses a Kubernetes service account that's linked to an Azure managed identity, eliminating the need for stored credentials.

Prerequisites

  • AKS cluster with workload identity and OIDC issuer enabled
  • Azure CLI installed and authenticated
  • Permissions to create managed identities and assign roles
  • Access to the target Azure subscription

Steps to configure Workload Identity

1. Verify AKS cluster configuration

Check that your AKS cluster has the required features enabled:

# Check OIDC issuer is enabled
az aks show --resource-group <your-resource-group> --name <your-cluster-name> --query "oidcIssuerProfile.enabled" -o tsv

Should return: true

# Check workload identity is enabled  
az aks show --resource-group <your-resource-group> --name <your-cluster-name> --query "securityProfile.workloadIdentity" -o tsv

Should return: true

2. Get the OIDC issuer URL

# Get your OIDC issuer URL (save this value for step 5)
az aks show -n "<your-cluster-name>" -g "<your-resource-group>" --query "oidcIssuerProfile.issuerUrl" -otsv

You should see output similar to:

https://<your-region>.oic.prod-aks.azure.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/

3. Create a managed identity

az identity create \
    --name "astronetes-azure-agent" \
    --resource-group "<your-resource-group>" \
    --location "<your-region>" \
    --subscription "<your-subscription-id>"

Get the client ID (save this value for agent configuration):

az identity show --resource-group "<your-resource-group>" --name "astronetes-azure-agent" --query 'clientId' -otsv

4. Assign required permissions

Get the managed identity's principal ID:

az identity show \
--name "astronetes-azure-agent" \
--resource-group "<your-resource-group>" \
--query "principalId" -o tsv

Assign the Reader role using the principal ID from above:

az role assignment create \
  --assignee <principal-id-from-above> \
  --role "Reader" \
  --scope /subscriptions/<your-subscription-id>

Get your subscription ID (save this value for agent configuration):

az account show --query "id" -o tsv

5. Create federated credential

Link the managed identity to your agent's service account:

az identity federated-credential create \
  --name "astronetes-federated-credential" \
  --identity-name "astronetes-azure-agent" \
  --resource-group "<your-resource-group>" \
  --issuer "<oidc-issuer-url-from-step-2>" \
  --subject "system:serviceaccount:resiliency-system:<your-agent-name>"

Replace <your-agent-name> with the name you'll give your agent when creating it.

Required information for agent configuration

After completing these steps, you'll have:

  • Client ID (from step 3)
  • Tenant ID (from your Azure subscription)
  • Subscription ID
  • Service Account Name (used in the federated credential subject)

Security considerations

  • Workload Identity eliminates the need to store credentials in your cluster
  • Ensure the federated credential subject matches exactly with your agent's service account
  • Follow the principle of least privilege when assigning roles

Additional resources

Last updated on by carlosroak