Workload Identity federation support for managed identity #325
Comments
|
Any idea when and how this land into this product? Even if this would be only for Azure for now. We are working on tight integration to AKS workload identity, and our current stack works with pod-identity, but we would like to move to a new concept, but usage of Service principals accounts is not an option for us. |
|
@mjudeikis Thanks for reaching out! We're currently working with the AAD team to support workload identity federation for managed identity. At this time we don't have a concrete timeframe but we're hopeful it'll be available in the coming months. cc @udayxhegde |
|
Just want to give some traction on this issue, this would be a game changer to manage access to Managed Identities securely! ❤️ |
|
Hello, as we Enter Copper and planning for the next semester is due, is there a road map ETA on supporting managed-identities ? |
|
@aramase any updates on this one? |
|
We're currently doing a private preview on AKS. @udayxhegde @karavar Are there any public preview timelines that we can share on the issue here? |
|
As we’re in private preview, the timelines are dependent on the feedback we get during private preview. But we’re hoping we’d get it out in the second half of the calendar year. |
|
@karavar I'm looking to add support for self-managed k8s clusters in CAPZ (kubernetes-sigs/cluster-api-provider-azure#2205), not for AKS usage. So I think this would require at least public preview for us to integrate it. Please keep us posted when you have a better idea of public preview timeline. |
|
Just to echo what @CecileRobertMichon said, a public preview would be very helpful. We also wish to use managed identities, but not with AKS clusters. Most of our clusters will be hosted outside of Azure (AWS currently, likely AWS+GCP in the future). Will managed identity support only work on clusters using Azure-hosted VMs? As managed identities are currently implemented, it seems like that will be the case. |
|
From my understanding that should work just the same, so long as your MI in azure is set up with a federated claim. The service account in k8s (wherever its hosted) would do a token/credential exchange using that token, thus authenticating as the MI with respect to azure resources, no matter where the request is actually originating. Nb. I'm in private preview and it was presented as a way to integrate not only AKS but on prem/other cloud solutions with azure identities. One example was github actions being able to Auth as an MI |
|
@pinkfloydx33 - thanks for the response! This part was news to me.
I thought that it was only possible to have federation like that with Application identities, not user assigned managed identities. If that's the case, this will be very useful. |
|
The user assigned identities is what is currently in private preview. There is a link to sign up for the preview a few comments up in this thread. That's how I got in. They are looking for "unusual" test cases... I can't speak for them, but if I had to guess I'm sure they'd love to try out scenarios such as yours before going to public preview Note: I may be wrong on your specific case so please don't take my words as gospel |
|
@aramase is there an update on support for managed identities? any time lines |
|
@cbrooksmsft Any public preview timelines that you can share with the folks on this issue? cc @miwithro |
|
We have a dependency on workload identity to support managed identity for the add-on scaling feature in AKS. May I know when this will be available? |
|
9/30 |
|
Is that what was required https://learn.microsoft.com/en-us/azure/active-directory/develop/workload-identity-federation ? |
Yeah, managed identity is now supported with workload identity. You should be able to use with the current release too as the SDK and webhook will work the same way for Azure AD Apps (support for which has been available since last year) and managed identities. I'll keep this issue open until we finish updating our docs in this repo. |
|
Just to make sure I understand, workload identity works with managed identites, even the one released on 8/31. It's just a documentation problem now? |
|
Managed identity support for workload identity federation is now available. AKS docs for ref: https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview We have updated the docs in this repo to remove the limitation and update the quick start tutorial. Closing this issue now. Documentation for migration from Please let us know if you have any feedback as you try managed identities with workload identity. |
|
@aramase is it currently possible to use managed identity federation with AAD pod identity or does federation require migration to Azure Workload Identity? Specific scenario I'm asking about: kind cluster running AAD pod identity that only supports using service principal currently. |
@CecileRobertMichon federation will only work with Azure Workload Identity. In case of AAD Pod Identity, the managed identity need to be assigned to the underlying VM/VMSS, however with workload identity, the managed identity doesn't need to be assigned to the compute resource. This means, you can use managed identity/Azure AD Apps with the kind cluster along with Azure Workload Identity. |
xref: https://azure.github.io/azure-workload-identity/docs/faq.html#why-is-managed-identity-not-supported-by-azure-workload-identity
This issue is to track the Azure AD workload identity federation support for managed identity
The text was updated successfully, but these errors were encountered: