Authenticating the agent on Azure AKS
If your agent runs on an Azure AKS cluster, you can leverage the following method to assign an Azure AD identity to your env0 deployments.
Using workload identity
You can associate an IAM role with a Kubernetes Service Account (KSA). The KSA that will be used by env0 is the default
KSA under the env0-agent
namespace.
You'll need to follow the Azure guide - Deploy and configure workload identity on an Azure Kubernetes Service (AKS) cluster . The SERVICE_ACCOUNT_NAMESPACE
will be env0-agent
and the SERVICE_ACCOUNT_NAME
will be default
.
If you override these parameters in your installation, please make sure to use the correct values, i.e. pass the correct name of the service account to deploymentJobServiceAccountName
within the agent's helm values.
Now, in order for the pods to use the identity, they should be labeled with azure.workload.identity/use: "true"
. To achieve this, you need to add into the podAdditionalLabels
field of your agent's helm values those field and value.
e.g.
"podAdditionalLabels":
"azure.workload.identity/use": "\"true\""
Configuring Terraform Provider to use an AKS workload identity
Follow this official azurerm provider guide - terraform registry documentation .
Configuring Azure Backend to use an AKS workload identity
When configuring the Azure Backend, you need to make sure that the Client ID, Tenant ID, and OIDC are configured. You have to make sure to have the backend is configured as using OIDC, and with the OIDC token taken from the AZURE_FEDERATED_TOKEN_FILE
The are a couple of ways to do that:
- In the backend configuration itself, make sure to set the following values:
terraform {
backend "azurerm" {
resource_group_name = "StorageAccount-ResourceGroup" # Can be passed via `-backend-config=`"resource_group_name=<resource group name>"` in the `init` command.
storage_account_name = "abcd1234" # Can be passed via `-backend-config=`"storage_account_name=<storage account name>"` in the `init` command.
container_name = "tfstate" # Can be passed via `-backend-config=`"container_name=<container name>"` in the `init` command.
key = "prod.terraform.tfstate" # Can be passed via `-backend-config=`"key=<blob key name>"` in the `init` command.
use_oidc = true # Can also be set via `ARM_USE_OIDC` environment variable.
oidc_token_file_path = "/var/run/secrets/azure/tokens/azure-identity-token" # Should be set to the value of AZURE_FEDERATED_TOKEN_FILE, usually "/var/run/secrets/azure/tokens/azure-identity-token"
client_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_CLIENT_ID` environment variable.
subscription_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_SUBSCRIPTION_ID` environment variable.
tenant_id = "00000000-0000-0000-0000-000000000000" # Can also be set via `ARM_TENANT_ID` environment variable.
}
}
- Use environment variables to set
ARM_CLIENT_ID
to the client ID,ARM_TENANT_ID
to the tenant ID,ARM_USE_OIDC
to true, andARM_OIDC_TOKEN_FILE_PATH
to the value ofAZURE_FEDERATED_TOKEN_FILE
(usually "/var/run/secrets/azure/tokens/azure-identity-token")
Follow the official azure backend guide - azure backend documentation
You must set oidc_token_file_path
The official guide does not mention it, but if you do not provide the OIDC token explicitly, then the backend will ignore the
use_oidc
configuration. Unlike the azurerm Terraform Provider, which automatically picks up the token fromAZURE_FEDERATED_TOKEN_FILE
Access Key Vault secrets
If accessing sensitive values stored in Azure Key Vault is required during your deployments, you should also accomplish this optional step from the AKS guide - Grant permissions to access Azure Key Vault
Verifying the cluster is configured properly
Once the cluster is configured for using the workload identity, you can run this command from a pod on it to validate all the correct parameters are exported correctly: az login --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID --federated-token $(cat $AZURE_FEDERATED_TOKEN_FILE)
.
The pod will need the correct labels for the namespace, service account, and azure.workload.identity/use: "true"
.
If the command ran without error, you may also check the Key Vault access with the following command az keyvault secret list --vault-name <YOUR VALUT NAME>
Updated 2 months ago