Using Managed Identity in container workloads

[tomkerkhove]

Query/Question We are looking to add support for Managed Identity (MI), previously known as Managed Service Identity (MSI), to our application which is running in a Linux container.

As it will be hosted on Kubernetes, we'll use AAD Pod Identity.

However, it's not clear how we should approach this with the current version of the library.

FromMSI requires us to pass MSIResourceType via MSILoginInformation but it only allows us to specify App Service & Virtual Machines, same for FromSystemAssignedManagedServiceIdentity & FromUserAssigedManagedServiceIdentity.

Is there a way to implement this or is it not supported yet?

Why is this not a Bug or a feature Request? I'm merely looking how to approach Managed Identity authentication.

Setup (please complete the following information if applicable):

• OS: Linux
• IDE : Visual Studio
• Version of the Library used: 1.30.0

Information Checklist Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

• [X] Query Added
• [X] Setup information Added (N/A)

[yaohaizh]

@tomkerkhove, thanks for reporting this issue. Currently, fluent .NET SDK doesn't support the feature yet. And https://docs.microsoft.com/en-us/azure/aks/use-managed-identity are still on preview status.

[tomkerkhove]

Thanks for responding.

Is there any ETA to support this or are you waiting for AKS to make it GA?

Please note that AAD Pod Identity is a different feature that brings MI to a pod-level.

[nickzhums]

@tomkerkhove We will need to check with AKS and see what their plan is. Meanwhile, if this is blocking you, consider using the other tools in the documentation :)

[tomkerkhove]

I presume you are referring to https://github.com/Azure/azure-libraries-for-net/blob/master/AUTH.md#using-azurecredentials then?

Thanks for checking!

[nickzhums]

@tomkerkhove yes, also if it's convenient for you to use Azure CLI, the managed identities for AKS can be accessed via Azure CLI commands (https://docs.microsoft.com/en-us/azure/aks/use-managed-identity) as previously mentioned

[chrisfraschetti]

Any updates on this issue? It's a bit of a mess needing to mix and match both a systemassigned identities and service principal simply because the client library is behind.

[tomkerkhove]

Bump, any update on this?

[ChenTanyi]

@tomkerkhove Just want to clarify with you what you want is:

1. create AKS with MSI Identity assigned.
2. Use MSI Identity inside AKS to connect with other services like ACR
3. Use MSI Identity inside AKS pod to management azure resources

---

If it is 1, I think maybe you can use ARM Template to reach the same effect.

var region = Region.USEast;
var rg = "randomGroup";
var dnsPrefix = "randomDns123456";

var identity = azure.Identities.Define("randomIdentity")
    .WithRegion(region)
    .WithNewResourceGroup(rg)
    .Create();

azure.Deployments.Define("lkjslkjd")
    .WithExistingResourceGroup(rg)
    .WithTemplate(File.ReadAllText("azuredeploy.txt"))
    .WithParameters($"{{\"identityId\": {{\"value\": \"{identity.Id}\"}}, \"dnsPrefix\": {{\"value\": \"{dnsPrefix}\"}}}}")
    .WithMode(Microsoft.Azure.Management.ResourceManager.Fluent.Models.DeploymentMode.Complete)
    .Create();

The azuredeploy.txt is attached, which would contains identity parts like:

If it is 2 or 3, is there any other tool you have used to reach the same effect? If so, could you provide me those steps about it?

[ChenTanyi]

@tomkerkhove After my testing, since the AKS is used VMSS as backend. The auth type could be Virtual Machines. I've created a sample with both java and dotnet. You can see or try it. It would create a AKS cluster with User Assigned Managed Identity and run a pod to do authentication with the identity. https://github.com/tanyi-test/azure-k8s-pod-with-identity

Due to the API will be in the new version SDK, you could build SDK by your own or just wait for our new SDK release (may be 1.37.0).

Hopefully it could help you. Thanks.

[tomkerkhove]

I'm mainly looking for scenario 2) to connect to Azure APIs by using MSI & AAD Pod Identity.

I've used this with Service Bus and other SDKs but am looking to use it for querying Azure Monitor & Azure Resource Graph for http://promitor.io/.

@tomkerkhove After my testing, since the AKS is used VMSS as backend. The auth type could be Virtual Machines. I've created a sample with both java and dotnet. You can see or try it. It would create a AKS cluster with User Assigned Managed Identity and run a pod to do authentication with the identity. tanyi-test/azure-k8s-pod-with-identity

So if I use this today with Virtual Machines it could work?

Due to the API will be in the new version SDK, you could build SDK by your own or just wait for our new SDK release (may be 1.37.0).

Can you elaborate on what SDK you mean here because there are a few? The FLuent API or the new new one?

[ChenTanyi]

@tomkerkhove If you are looking for [2], which means you have already set up [1]. (But from your speaking, I think you may want [3]? Almost, they are similar.)

Then, it doesn't depends any new SDK, you could use current SDK to do authentication. Just look at the document: https://docs.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity, or my sample for you already has AKS identity.

So if I use this today with Virtual Machines it could work?

Yes, it works as long as your agent pool is VMSS. (I didn't check with others.) And I think trying with your own is more quickly then asking here.

Can you elaborate on what SDK you mean here because there are a few? The FLuent API or the new new one?

You can see the above PR, it will update the Fluent SDK, but need to use raw API rather than Fluent Interface for [1]. (All update is for [1], you may not need it.)