Announcing Public Preview of Workload Identity Federation for Azure Arc enabled Kubernetes clusters

We are excited to announce public preview of Workload identity Federation for Azure Arc enabled Kubernetes clusters. Workload identity support for Azure Arc enabled Kubernetes cluster allows applications running in Kubernetes clusters to securely access Azure resources like Azure Key vaults, Azure blob storage without the hassle of managing secrets. 

Workload Identity Support for Azure Arc enabled Kubernetes

In today's cloud-native world, managing application credentials securely and efficiently is crucial. For software workloads running outside of Azure, application credentials (such as secrets or certificates) are required to access Microsoft Entra-protected resources like Azure Key Vault, Azure Blob Storage, and Microsoft Graph. These credentials pose security risks, necessitating secure storage and regular rotation. Additionally, expired credentials can lead to service downtime. Workload Identity Support for Azure Arc-enabled Kubernetes mitigates this issue by using Microsoft's workload identity feature, Microsoft Entra Workload ID, based on OpenID Connect, which is generally available.

How Does It Work?

The workload identity feature integrates with Kubernetes' native capabilities to federate with external identity providers. Specifically, it uses Service Account Token Volume Projection to enable application pods to obtain a Kubernetes identity. A user-assigned managed identity can be configured to trust tokens from a Kubernetes cluster (external IDP provider). Once a trust relationship is established, the application can exchange trusted tokens from the cluster for access tokens from the Microsoft identity platform. These access tokens can then be used to access Azure resources to which the workload has been granted access. 

Benefits of Workload Identity

1. Enhanced Security: By eliminating the need to manage secrets, workload identity reduces the risk of credential leakage and simplifies secret management.
2. Simplified Management: Applications can seamlessly access Azure resources without the overhead of managing and rotating secrets.
3. Integration with Kubernetes: The feature leverages Kubernetes' native capabilities, making it easier to implement and manage.

Getting Started

To enable workload identity for your Kubernetes clusters, you need to ensure that your Azure CLI is updated to version 2.64 or higher, and az connectedk8s version 1.10.0 or higher. Be sure to update your Azure CLI version before updating your az connectedk8s version. You can check your version by running az --version and upgrade it using az upgrade. 

Follow our documentation for detailed steps to deploy workload identity on new or existing Azure Arc enabled Kubernetes clusters. Also, refer to the same document for list of Kubernetes distros supported during the preview.

As you try out the feature, please ask any questions, share feedback or feature requests by filling this feedback form.