We have discussed "Setting Up Azure Workload Identity for Containers in Azure Kubernetes Services" previously. We can use Azure CLI to interact with Azure resources in a container which is using base docker image "mcr.microsoft.com/azure-cli:latest-amd64". Instead of using specific credential information directly in the Azure CLI script in the container, we can use the workload identity to do an az login in a container where workload identity is enabled. Let's look at how to do that in this post.
When we enable workload identity we get the below environment variables for the container in AKS.
- AZURE_CLIENT_ID - user assigned managed identity used for the workload id
- AZURE_TENANT_ID - tenant id
- AZURE_FEDERATED_TOKEN_FILE - /var/run/secrets/azure/tokens/azure-identity-token
- AZURE_AUTHORITY_HOST - https://login.microsoftonline.com/
We can use AZURE_FEDERATED_TOKEN_FILE, AZURE_TENANT_ID and AZURE_CLIENT_ID to run az login command inside the container as shown below.
PowerShell
az login --federated-token "$(Get-Content $env:AZURE_FEDERATED_TOKEN_FILE)" `
--service-principal -u $env:AZURE_CLIENT_ID `
-t $env:AZURE_TENANT_ID;
Bash or Shell Script
az login --federated-token "$(cat $AZURE_FEDERATED_TOKEN_FILE)" \
--service-principal -u $AZURE_CLIENT_ID \
-t $AZURE_TENANT_ID
No comments:
Post a Comment