azure-docs
azure-docs copied to clipboard
MicrosoftDocs
Ambiguous documentation for AKS workload identity and Key Vault access.
The example of working with workload identity to access a key vault, assumes it uses policy based authorization instead of RBAC. It does not clarify whether RBAC is compatible with workload identity or provides instructions on how to use it in such a scenario.
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: 773aa5fa-a931-f6f1-f339-6367cef12209
- Version Independent ID: 48c7d57f-55a0-5894-5379-ef7d6ed1e24d
- Content: Deploy and configure an Azure Kubernetes Service (AKS) cluster with workload identity - Azure Kubernetes Service
- Content Source: articles/aks/workload-identity-deploy-cluster.md
- Service: azure-kubernetes-service
- GitHub Login: @MGoedtel
- Microsoft Alias: magoedte
@fabio-s-franco Thanks for your feedback! We will investigate and update as appropriate.
@fabio-s-franco Thank you for bringing this to our attention. I've delegated this to content author @MGoedtel, who will review it and offer their insightful opinions.
Hi @fabio-s-franco - I'll create a work item for us to address this gap in our documentation. As far as I know and understand, RBAC is compatible with a workload identity since it's an object that exists in Entra ID.
Thanks @MGoedtel and @ManoharLakkoju-MSFT, I can confirm that it is compatible.
I was having trouble authenticating with it via the cli, discussed here https://github.com/Azure/azure-cli/issues/24756#issuecomment-1994004297. My impression was that the cli would automatically use the federated credentials and I was not sure, the problem was due to incompatibility with RBAC and workload identity.
Hi @fabio-s-franco - I saw that and I've created that work item so we plan to update the Workload Identity content to include how to do this with Azure RBAC, and I've also engaged the AKS Security PMs for visibility and their engagement. #please-close