I have node(nestjs) application deploy in AKS, clusters were created using kubenet network. The node application needs to access the sql DB, we have configured managed identities, so it'll be user managed identity.
To create connection I'm using token based approached, where I get the credentials using https://www.npmjs.com/package/#azure/identity package ( using DefaultAzureCredential on local and ManagedIdentityCredential on server), and with those credentials, I get the token, and then token is used in creating the DB connection. For local it worked fine, using DefaultAzureCredential and az cli with user logged in.
But on AKS it throws error as no managed identity found( when ManagedIdentityCredential used), why is that, please help to get to the solution, it has become a huge blocker?
Have you checked if aad identity is created?
kubectl get azureidentity -n $POD_IDENTITY_NAMESPACE
kubectl get azureidentitybinding -n $POD_IDENTITY_NAMESPACE
If not add it on the cluster. There should be pods in a namespace which control the traffic flow to microsoft AAD, so Node Managed Identity(nmi), and describe node reveals pods on the node which intercept the calls.
Check out the docs
Related
How to connect securely from AKS cluster to Azure PostgreSQL Single Server using Service principal as the Managed Identity is not supported.
From my point of view you have 2 options (maybe more but lets focus on those 2):
Use Azure AD Workload identity together with federated identity credential linked to you Service Principal. Basically you configure trust between your AKS (OIDC issuer), the Kubernetes Service Account for your Pod and the Azure Service principal to access resources with an Azure AD Token. Here you have to adopt the code running inside your container to leverage the workload identity with the issued Azure AD access token.
Use the Azure Key Vault Provider for Secrets Store CSI Driver. You will configure the Kubelet Identity of your AKS to read the secrets from the KeyVault and mount the Service Principal Client ID & Client Secret (saved as KeVault secrets) during Pod startup as volume into your pod. Here you have to adopt the code running inside your container to read the information (Client ID & Secret) from the filesystem inside the pod. P.s.: You can also use Workload Identity, System assigned identity or a Service Principal instead of managed-identity to access the KeyVault.
I'm using the azure/login github action in my workflow to login to azure to then set some secrets and deploy to Azure Kubernetes Cluster. Suddenly the github action is failing with the error token is expired.
The last thing I did before this error started showing up "not sure if this is related at all" was to execute the command az vmss identity assign -g on the vmss of the cluster to assign a userAssignedIdentity
I tried recreated the federated credential for the enterprise app connecting the github actions/workflows to our AAD but nothing changed, I even tried using a client secret authentication, but that gave the same error as well.
Something was seriously messed up with the cluster, I had to delete it and recreate and recreate the managed identity, granting it access to the cluster and creating a federated credential to allow github to deploy through it to the cluster
I am writing a script that logins into Azure, but I don't want to use my password explicitly. Therefore I switched on a system assigned managed identity:
And now in a shell script I do this:
az login --identity --username xxx
'xxx' is the Object (principal) ID, on the screenshot
when I execute the command, I get this (replaced ip and ID with 'xxx'):
Failed to connect to MSI. Please make sure MSI is configured correctly and check the network connection.
Error detail: HTTPConnectionPool(host='XXX.XXX.XXX.XXX', port=XX): Max retries exceeded with url: /metadata/identity/oauth2/token?resource=https%3A%2F%2Fmanagement.core.windows.net%2F&api-version=2018-02-01&client_id=xxx (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x04B7DB08>:
Failed to establish a new connection: [WinError 10060] A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond'))
EDIT: it is fine, when I run this command in Cloud-Shell on Azure portal.
Why can't I login? Am I missing something?
A system assigned managed identity cannot be used to login. It is explicitly tied to the service you created it for, and is not meant for re-use.
System-assigned. Some Azure services allow you to enable a managed identity directly on a service instance. When you enable a system-assigned managed identity, an identity is created in Azure AD. The identity is tied to the lifecycle of that service instance. When the resource is deleted, Azure automatically deletes the identity for you. By design, only that Azure resource can use this identity to request tokens from Azure AD.
The most important part of that quote is the last sentence:
By design, only that Azure resource can use this identity to request tokens from Azure AD.
More information: What are managed identities for Azure resources?.
Also:
Can’t be shared.
It can only be associated with a single Azure resource.
EDIT:
Based on your question and the comment below you might be looking for a Service Principal. A managed identity, either system assigned or user assigned, is for use with an Azure resource.
Managed identities provide an identity for applications to use when connecting to resources that support Azure AD authentication.
An Azure service principal is an identity created for use with applications, hosted services, and automated tools to access Azure resources.
For more information on Service principals, see Create an Azure service principal with the Azure CLI.
I have created a asp.net API that accesses KeyVault to get secrets.
When I run locally on my laptop, I use Managed Identity to access KeyVault with a dedicated Service Princiapl. (with AZURE_CLIENT_ID, AZURE_CLIENT_SECRET and AZURE_TENANT_ID set in my system
environment variables).
This is working just fine.
Now I have created a VM in Azure to be used as a developer machine. All the tools are installed and configured like they are on my laptop.
But when I run the web API I get a 403 telling me the object ID #### does not have Get/List access to KeyVault.
I've checked and the object ID matches the one of the VM. Indeed the VM does not have this access to KeyVault, however I'd expect the Web API to run with the configured AZURE_CLIENT_ID in my environment variables.
Am I missing something ?
Ensure get/list operations are selected/enabled in the access policy created for your managed identity/service principal:
As per my understanding, Azure Kubernetes Service(AKS) allows getting credentials for admin and user identities. Can the user identity be an AD app or a managed identity?
I'm writing .Net code. Can you provide some sample where we can get the user credentials from AKS cluster by using AD app credentials, assuming I have already done AD integration with my AKS cluster and have already assigned the appropriate role binding for my AD app?
The security section here - https://learn.microsoft.com/en-us/rest/api/aks/managedclusters/getaccessprofile needs implicit flow. How does implicit flow work for AD app credentials?
You can use Implicit grant flow to get access token.
You'll need the Azure Kubernetes Service Cluster User built-in role to access an Azure AD enabled cluster.
Get the user credentials to access the cluster:
az aks get-credentials --resource-group myResourceGroup --name MyManagedCluster
Or use List Cluster User Credentials API.
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ContainerService/managedClusters/{resourceName}/listClusterUserCredential?api-version=2020-04-01
Because Get Access Profile API will be deprecated in the futhure.