Question about MANAGED IDENTITY CLIENT ID

[mauriciocirelli]

Hi!

When we use a federated Service Account with the permissions to access the Key Vault, why do we need to set the managed_identity_client_id?

credential = DefaultAzureCredential(managed_identity_client_id=managed_identity_client_id, exclude_interactive_browser_credential=False, additionally_allowed_tenants="*")

When AKS runs the pod with a federated service account associated to it, it automatically uses Pod Workload Identity.

I think that

credential = DefaultAzureCredential(exclude_interactive_browser_credential=False, additionally_allowed_tenants="*")

Should be enough. Or am I missing something?

[rdvansloten]

You could be right, I inherited this over from my time developing for Azure Functions, where this is required. It might default to WorkloadIdentity as suggested here: https://learn.microsoft.com/en-us/dotnet/api/azure.identity.workloadidentitycredential?view=azure-dotnet

Although this is only an issue if you're deconstructing the Helm chart, for out-of-the-box usage this shouldn't affect anything, since it takes the Managed Identity from the values.yaml file, where it needs to be for Workload Identity to work at all.

I will do some testing this week without forcing the identity.

[mauriciocirelli]

Hi,

since it takes the Managed Identity from the values.yaml file, where it needs to be for Workload Identity to work at all.

I think this is the point. When asssigning a federated service account to a pod, you should not set the Managed Identity env vars in your YAML, as they are already set by AKS Azure AD Workload Identity webhook.

See this for reference.

Please, let me know if you can confirm this in your tests.

Thank you for your time and effort on this.