Skip to content

Instantly share code, notes, and snippets.

@jeromebaude

jeromebaude/AKS_WorkloadIdentity_AKV.md

Last active November 10, 2025 15:36
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jeromebaude/613770073dde6821add49870c80f5f77 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jeromebaude/613770073dde6821add49870c80f5f77 to your computer and use it in GitHub Desktop.
Download ZIP
This gist guides you on how to use AKS Workload Identity to access Azure Key Vault
Raw
AKS_WorkloadIdentity_AKV.md

AKS Workload Identiy for my pods to access Azure Key Vault

At the cluster level (tasks managed by the AKS SRE team):

Enable OIDC and Workload Identity on AKS

az aks update --resource-group <RESOURCE_GROUP> --name <CLUSTER_NAME> --enable-oidc-issuer --enable-workload-identity

export AKS_OIDC_ISSUER="$(az aks show --name <CLUSTER_NAME> --resource-group <RESOURCE_GROUP> --query oidcIssuerProfile.issuerUrl --output tsv)"
echo $AKS_OIDC_ISSUER

Create an Azure user-assigned managed identity?

az identity create -g <RESOURCE_GROUP> -n <USER_ASSIGNED_IDENTITY_NAME>

Federate Managed Identity with the Kubernetes Service Account

az identity federated-credential create \
  --name <FEDERATED_CREDENTIAL_NAME> \
  --identity-name <MANAGED_IDENTITY_NAME> \
  --resource-group <RESOURCE_GROUP> \
  --issuer <AKS_OIDC_ISSUER_URL> \
  --subject system:serviceaccount:<YOUR_NAMESPACE>:workload-identity-sa \
  --audiences "api://AzureADTokenExchange"

Deploy Azure Key Vault

az keyvault create --name "<your-unique-keyvault-name>" --resource-group "myResourceGroup" --location "EastUS"

Grant access to the key Vault (ex: Key Vault Administrator)

Create my Azure Key Vault secret

az keyvault secret set --vault-name "your-keyvault-name" --name "SampleSecret" --value "MyS3cr3tValue!"

Assign Key Vault Permissions to the Azure User Managed Identity

az role assignment create \
  --role "Key Vault Secrets User" \
  --assignee <managed-identity-ObjectId-or-clientId> \
  --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group>/providers/Microsoft.KeyVault/vaults/<key-vault-name>

At the Workload level (tasks managed by Application teams)

Create a service account and annotate it with the managed identity’s client ID

apiVersion: v1
kind: ServiceAccount
metadata:
  name: workload-identity-sa
  namespace: <YOUR_NAMESPACE>
  annotations:
    azure.workload.identity/client-id: "<MANAGED_IDENTITY_CLIENT_ID>"

Deploy a Pod using the Service Account and the Azure Key Vault Secret

apiVersion: v1
kind: Pod
metadata:
  name: sample-workload-identity-key-vault
  namespace: <NAMESPACE>
  labels:
    azure.workload.identity/use: "true"
spec:
  serviceAccountName: <SERVICE_ACCOUNT_NAME>
  containers:
    - name: oidc
      image: ghcr.io/azure/azure-workload-identity/msal-go
      env:
        - name: KEYVAULT_URL
          value: "<https://<KEYVAULT_NAME>.vault.azure.net/>"
        - name: SECRET_NAME
          value: "<YOUR_SECRET_NAME>"

(Optional) Use CSI Secrets Store Driver to Mount Secrets

Verify the Pod Can Access the Secret

kubectl describe pod sample-workload-identity-key-vault | grep "SECRET_NAME:"
kubectl logs sample-workload-identity-key-vault

You may also want to check the env variables

kubectl exec -it <POD_NAME> -- sh
env | grep AZURE
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment