Skip to content

Instantly share code, notes, and snippets.

Created November 30, 2019 09:26
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save cmendible/4dd5c48a45480d5a0db0d6ed68e4cd01 to your computer and use it in GitHub Desktop.
AKS: Setup Pod Identity Key Vault Integration
[Parameter(Mandatory = $true)]
[Parameter(Mandatory = $true)]
[Parameter(Mandatory = $true)]
[Parameter(Mandatory = $true)]
[Parameter(Mandatory = $true)]
# Get the current subscription
$subscriptionId = (az account show | ConvertFrom-Json).id
# Get aks so we can extract it's Service Princpal later
$aks = az aks show `
-g $resourceGroupName `
-n $aksName | ConvertFrom-Json
# Create Managed Identity
$identity = az identity create `
-g $resourceGroupName `
-n $identityName `
-o json | ConvertFrom-Json
# Assign the Reader role to the Managed Identity
az role assignment create `
--role "Reader" `
--assignee $identity.principalId `
--scope /subscriptions/$subscriptionId/resourcegroups/$resourceGroupName
# Assign the Managed Identity Operator role to the AKS Service Principal
az role assignment create `
--role "Managed Identity Operator" `
--assignee $aks.servicePrincipalProfile.clientId `
--scope $
# Add policy to the Key Vault so the Managed Identity can read secrets
az keyvault set-policy `
--name $keyVaultName `
--spn $identity.clientId `
--secret-permissions get list
# Enable AAD Pod Identity on AKS
kubectl apply -f
# Create the Azure Identity and AzureIdentityBinding yaml on the fly
$k8sAzureIdentityandBinding = @"
apiVersion: ""
kind: AzureIdentity
name: $($identityName)
type: 0
ResourceID: $($
ClientID: $($identity.clientId)
apiVersion: ""
kind: AzureIdentityBinding
name: $($identityName)-identity-binding
AzureIdentity: $($identityName)
Selector: $($identitySelector)
# Deploy the yamls
$k8sAzureIdentityandBinding | kubectl apply -f -
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment