If your agent runs on an Azure AKS cluster, you can leverage the following method to assign an Azure AD identity to your env0 deployments.
You can associate an IAM role with a Kubernetes Service Account (KSA). The KSA that will be used by env0 is the
default KSA under the
You'll need to follow the Azure guide - Deploy and configure workload identity on an Azure Kubernetes Service (AKS) cluster . The
SERVICE_ACCOUNT_NAMESPACE will be
env0-agent and the
SERVICE_ACCOUNT_NAME will be
If you override these parameters in your installation, please make sure to use the correct values, i.e. pass the correct name of the service account to
deploymentJobServiceAccountName within the agent's helm values.
Now, in order for the pods to use the identity, they should be labeled with
azure.workload.identity/use: "true". To achieve this, you need to add into the
podAdditionalLabels field of your agent's helm values those field and value.
Follow this official azurerm provider guide - terraform registry documentation .
If accessing sensitive values stored in Azure Key Vault is required during your deployments, you should also accomplish this optional step from the AKS guide - Grant permissions to access Azure Key Vault
Once the cluster is configured for using the workload identity, you can run this command from a pod on it to validate all the correct parameters are exported correctly:
az login --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID --federated-token $(cat $AZURE_FEDERATED_TOKEN_FILE).
The pod will need the correct labels for the namespace, service account, and
If the command ran without error, you may also check the Key Vault access with the following command
az keyvault secret list --vault-name <YOUR VALUT NAME>
Updated about 2 months ago