search

Azure / kubelogin

A Kubernetes credential (exec) plugin implementing azure authentication
https://azure.github.io/kubelogin/
MIT License
477 stars 88 forks source link

Private App registration #471

Closed arodindev closed 3 months ago

arodindev commented 3 months ago

We want to authenticate to an Amazon EKS cluster using Azure Entra ID. For that we have created an Azure app that issues an ID token containing the Entra ID groups information of the user. For getting started we used this guide https://aws.amazon.com/blogs/containers/using-azure-active-directory-to-authenticate-to-amazon-eks/

This works fine when the "Allow public client flow" is enabled. However, due to internal security regulations we are forced to set the app to private. There is a community version of kubelogin that allows to provide a --oidc-client-secret flag. Do we have something similar with the Azure kubelogin and can someone guide me on how to set this up?

Thanks!

weinong commented 3 months ago

I think https://azure.github.io/kubelogin/topics/k8s-oidc-aad.html should work for you

arodindev commented 3 months ago

This config indeed worked for me

kubectl config set-credentials "azure-user" \
  --exec-api-version=client.authentication.k8s.io/v1beta1 \
  --exec-command=kubelogin \
  --exec-arg=get-token \
  --exec-arg=--environment \
  --exec-arg=AzurePublicCloud \
  --exec-arg=--server-id \
  --exec-arg=$AAD_CLIENT_ID \
  --exec-arg=--client-id \
  --exec-arg=$AAD_CLIENT_ID \
  --exec-arg=--tenant-id \
  --exec-arg=$AAD_TENANT_ID \
  --exec-arg=--login \
  --exec-arg=interactive

thank you @weinong