I have an existing Azure Kubernetes Cluster and I'm having a look at Azure Container Apps to see if it could be a good move for me.
With AKS, I'm heavily using Managed Identity for management tasks and also using pod-identity to allow applications to connect to other azure resources without storing credentials.
I tried to find some related documentation for Azure Conter Apps but didn't find anything ? Is it something that is not documented, not supported at the moment ?
Since Container Apps went GA, it is now available: Managed identities in Azure Container Apps.
both system-assigned and user-assigned are available.
Related
Stuff in Azure are secured with Service Accounts. In order for me to see stuff I need to download the Service Account certificate and then log in via the Azure CLI using the extracted certificate and the Service Account Application Id. So now I can see everything the Service Account can see, great. But it is a pain in the neck and slow. So my question: Can I use the same certificate and credentials to log into the Azure Portal website so I can browse around using the web browser instead?
Using a Service Principal for interactive logins to the Azure Portal is not possible - which is by design. In order to be able to see the same resources as the Service Principal through the Azure Portal, you would require a user account that holds the Azure RBAC Reader role against those resources that are in scope of the Service Principal role assignments.
As you mentioned performance being an issue with using the Service Principal login, you could try Azure Resource Graph queries. These are supported by Azure CLI, Azure PowerShell as well as all the major Azure SDK's. Obviously, this won't bring you the visual experience like the Azure Portal but might resolve the performance piece maybe.
However, requesting/creating a user account that has the corresponding RBAC roles assigned would be the only way to allow you to see the resources through the Azure Portal.
I have an Asp.Net Core application that is configured to connect to Azure KeyVault using Visual Studio 2019 Connected Services:
https://learn.microsoft.com/en-us/azure/key-vault/general/vs-key-vault-add-connected-service
I containerized the application with Docker and deployed it into Kubernetes as a Pod.
The KeyVault connection is not working, probably because of the Managed Identity not set-up.
I tried:
Added the Kubernetes agent Managed Identity to the KeyVault Acccess policies like I would do with App Services or Container Services, but does not allow the connection.
Followed the docs here: https://learn.microsoft.com/en-us/azure/key-vault/general/key-vault-integrate-kubernetes
I wonder if the "Azure Key Vault provider for the Secrets Store CSI driver on Kubernetes" is the right way to use KeyVault from a pod, or if there is a simpler solution like a direct connection.
The solution, for whoever is in my situation, is to use AAD-Pod Identity
There is no need to attach a CSI Driver unless you need the Secrets in the Kubernetes configuration, want total control on custom configurations, or have the cluster outside Azure.
For Asp.Net Core applications deployed to AKS, the easiest way is to use Managed Identities, and to provide that to your Kubernetes Cluster you need AAD-Pod identity.
There is not a documentation page yet, but following the Get Started instructions on GitHub is enough to get it going.
I managed to get a secret from the Azure key vault in my pod, using Managed Identity. Just add the .identityProfile.kubeletidentity.clientId of the AKS cluster as a Key Vault policy to read the secrets. You must set this policy through the Azure Portal, because the "az keyvault set-policy" expects the --object-id to be a principalId i guess...
I am trying to use a managed identity from Azure in a non-Azure VM to access my Azure resources. Is this possible?
You can use managed identities with App Service too
In the below link you can see all azure resources supported managed identities.
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/services-support-managed-identities
I know with Azure Kubernetes service we can use managed identities to access azure resources like keyvaults. But i'm trying to learn if same procedure can be applied to a kubernetes cluster which is hosted on azure. My aim is to have kubernetes cluster in azure with 2 worker and 2 controller nodes but pods residing on those nodes should access azure keyvault with managed identity method similar to AKS. Is there anyway we can do it without coding in application?
I understand the scope of this question is big but it is really helpful if somebody provide any high level steps ?
thanks,
Santosh
That's totally possible. AAD Pod identities rely on AAD (Azure Active Directory) and its permissions.
At the end AKS will have an infrastructure behind the scenes. So if you plan to not use AKS but install a cluster by yourself, for example with AKS engine, you can use AAD Pod Identities / Managed Instances.
All you need is that those machines reside in "Azure" and rely on what is called Azure Instance Metadata Service (IMDS). Even you can enroll new machine instances coming outside from Azure with the project ARC. Anyway I cannot talk about it with Managed instances since I have not used it, anyway it should follow a similar pattern.
Here you have a good article that explains AAD Pod identities:
https://itnext.io/the-right-way-of-accessing-azure-services-from-inside-your-azure-kubernetes-cluster-14a335767680
I want to configure an ILB for my Azure Cloud Service, similar to discussed in this article https://azure.microsoft.com/en-us/documentation/articles/load-balancer-internal-getstarted/
- but using the .Net SDK instead of powershell. (Also I have some conceptual confusion about the article/powershell maybe people will be able to explain. For VM scenario you have to explicitly create the ILB, but it seems like for cloud service you do not - is it already created, or automatically created? Why are New-AzureVM commandlets being used in a cloud service context?)
Documentation has been updated
https://azure.microsoft.com/en-us/documentation/articles/load-balancer-get-started-ilb-classic-cloud/
Or are you looking for a C# sample?
You should probably not be using cloud services. These are being deprecated. Just use v2 - Azure Resource Manager (portal.azure.com) and create a load balancer instead of a cloud service. Regardless, in v1 (Azure Service Management), when you create a VM, you automatically get a cloud service if you don't have one already - which is why new-azurevm is being used in cloud service context.