{"id":15696297,"url":"https://github.com/trstringer/kubernetes-aad-msi","last_synced_at":"2025-05-08T23:05:32.955Z","repository":{"id":53873373,"uuid":"252248432","full_name":"trstringer/kubernetes-aad-msi","owner":"trstringer","description":"Authenticate Kubernetes applications to cloud resources with Azure Active Directory","archived":false,"fork":false,"pushed_at":"2020-04-02T14:29:52.000Z","size":5,"stargazers_count":6,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-05-08T23:05:14.907Z","etag":null,"topics":["azure","azure-active-directory","kubernetes","security"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":null,"status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/trstringer.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":null,"code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2020-04-01T17:55:35.000Z","updated_at":"2023-08-24T07:29:52.000Z","dependencies_parsed_at":"2022-08-23T23:10:54.852Z","dependency_job_id":null,"html_url":"https://github.com/trstringer/kubernetes-aad-msi","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trstringer%2Fkubernetes-aad-msi","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trstringer%2Fkubernetes-aad-msi/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trstringer%2Fkubernetes-aad-msi/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/trstringer%2Fkubernetes-aad-msi/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/trstringer","download_url":"https://codeload.github.com/trstringer/kubernetes-aad-msi/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":253160775,"owners_count":21863628,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["azure","azure-active-directory","kubernetes","security"],"created_at":"2024-10-03T19:08:38.748Z","updated_at":"2025-05-08T23:05:32.917Z","avatar_url":"https://github.com/trstringer.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Kubernetes AAD MSI\n\nAuthenticate to resources secured by Azure Active Directory (AAD) using Managed Service Identities (MSI) directly from Kubernetes.\n\n## What problem does this solve?\n\nAuthentication is a difficult problem, and even in a cloud-first/cloud-native world it is still a tough problem to solve.\n\nA feature in Azure that makes this a much easier problem to approach is Managed Service Identities. This allows Azure resources to automatically have an identity that can be used to authenticate against resources secured with Azure Active Directory (databases, storage, etc.).\n\nInstead of passing around usernames and passwords or having to worry about baking in private keys to images, MSIs give us a very simple out-of-the-box experience that is secure and requires a lot less development effort.\n\nTraditionally MSIs have been largely implemented directly from Virtual Machines (IaaS). In the Kubernetes world, we have an extra layer on top of VMs. But the usage of MSIs is still possible through the [aad-pod-identity](https://github.com/Azure/aad-pod-identity) project. For more information on exactly how it works under the covers, see the source repo for documentation.\n\n## Example\n\nIn this repo I use the example of my application (living in a pod) that needs to access a resource in Azure. In my sample, I'm using an Azure SQL database.\n\n## Steps\n\n#### Create the AKS cluster\n\n```\n$ az group create -n resource_group -l eastus\n$ az aks create -n k8scluster -g resource_group --node-count 1\n$ az aks get-credentials -g resource_group -n k8scluster\n```\n\n#### Create and configure the Azure SQL server and database\n\n```\n$ az sql server create -g resource_group -n sql_server_name --admin-user admin_user --admin-password '\u003cpassword\u003e'\n$ az sql db create -n testdb --server sql_server_name -g resource_group\n```\n\nThen you will need to set the Active Directory admin to be able to enable this feature for AAD auth against SQL.\n\nYou will also possibly need to configure your firewall on the SQL server to allow your client connections.\n\n#### Create the aad-pod-identity resources\n\nThis is what does all of the handling for this in the Kubernetes cluster.\n\n```\n$ kubectl apply -f https://raw.githubusercontent.com/Azure/aad-pod-identity/master/deploy/infra/deployment-rbac.yaml\n```\n\n#### Create the managed identity that will be used for the pod(s)\n\n```\n$ az identity create -g $(az aks show -n k8scluster -g resource_group --query \"nodeResourceGroup\" -o tsv) -n k8scluster -o json\n```\n\nSave the output from this command, as we'll be needing the `clientId` and `id` data.\n\n\n#### Create the AzureIdentity and AzureIdentityBinding resources\n\n```\n$ cat \u003c\u003c EOF \u003e /tmp/aadidentity.yaml\napiVersion: \"aadpodidentity.k8s.io/v1\"\nkind: AzureIdentity\nmetadata:\n  name: sqlaad1\nspec:\n  type: 0\n  ResourceID: \u003cid_from_identity\u003e\n  ClientID: \u003cclient_id_from_identity\u003e\nEOF\n\n$ kubectl apply -f /tmp/aadidentity.yaml\n\n$ cat \u003c\u003c EOF \u003e /tmp/aadidentitybinding.yaml\napiVersion: \"aadpodidentity.k8s.io/v1\"\nkind: AzureIdentityBinding\nmetadata:\n  name: sqlaadbinding1\nspec:\n  AzureIdentity: sqlaad1\n  Selector: sqlaad\nEOF\n\n$ kubectl apply -f /tmp/aadidentitybinding.yaml\n```\n\n#### Create the SQL user\n\nNow in the Azure SQL database, create the user to link it up with this Azure AD identity.\n\n```sql\nCREATE USER [k8scluster] FROM EXTERNAL PROVIDER;\nEXEC sp_addrolemember 'db_owner', 'k8scluster';\n```\n\n*I added the user to `db_owner` for this demo, but for a more secure configuration you should give your users the least amount of privileges required.*\n\n#### Create the SQL table and some test data\n\n```sql\nCREATE TABLE messagelist\n(\n    id INT IDENTITY(1, 1),\n    message_text NVARCHAR(128) \n);\n\nINSERT INTO messagelist\nVALUES ('my message');\n\nINSERT INTO messagelist\nVALUES ('new message');\n```\n\n#### Building and deploying the application\n\nThe `build_and_deploy.sh` script automates this, but step-by-step we would now need to:\n\n1. Build the application (`go build`)\n1. Build the docker image (`docker build`)\n1. Create the Kubernetes pod (`kubectl apply`)\n\n#### Observations and explanations\n\nYou should see that the Kubernetes application living in the pod is able to successfully query the database using the Managed Service Identity.\n\n```\n$ kubectl logs aadtest1\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrstringer%2Fkubernetes-aad-msi","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftrstringer%2Fkubernetes-aad-msi","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftrstringer%2Fkubernetes-aad-msi/lists"}