How to use a managed identity with the azure sdk running in an aks cluster?

HerrDerb 20 Reputation points
2024-10-18T09:52:24.4833333+00:00

I would like to use a managed identity to query logs from azure Log Analytics using the

com.azure.monitor.query.LogsQueryClient

from the com.azure:azure-monitor-query Java sdk library.
My application is running on a pod inside of an aks cluster.
I tried to follow this documentation: https://learn.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity

I created a managed identity and created an AzureIdentity resource in my cluster for this identity.

I linked the pod with the label "aadpodidbinding" to the azure identity.
In my application I did configure my LogQueryClient with a managedIdentityCredential `

new ManagedIdentityCredentialBuilder().clientId(<<Client-id of the managed identity resource>>).build()

Running my application it still fails to authenticate:

2024-10-18 09:46:46,255 WARN [com.mic.aad.msa.ManagedIdentityApplication] (Thread-23) [] [Correlation ID: 8bf1b0e5-8c50-4a16-b88c-d6bd6fab8bfb] Execution of class com.microsoft.aad.msal4j.AcquireTokenByManagedIdentitySupplier failed: [Managed Identity] Unexpected exception occurred when parsing the response, HttpStatusCode: 404, Error message: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'no': was expecting (JSON String, Number, Array, Object or token 'null', 'true' or 'false') at [Source: REDACTED (StreamReadFeature.INCLUDE_SOURCE_IN_LOCATION disabled); line: 1, column: 3]2024-10-18 09:46:46,255 ERROR [com.azu.ide.ManagedIdentityCredential] (Thread-23) [] Azure Identity => ERROR in getToken() call for scopes [https://api.loganalytics.io/.default]: Managed Identity authentication is not available.2024-10-18 09:46:46,256 ERROR [com.azu.cor.imp.AccessTokenCache] (executor-thread-64) [] {"az.sdk.message":"Failed to acquire a new access token.","exception":"Managed Identity authentication is not available."}

what are the single steps needed for using a managed identity with a java sdk client inside a aks deployment?

Azure Kubernetes Service
Azure Kubernetes Service
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,453 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID
{count} votes

Accepted answer
  1. Nikhil Duserla 7,935 Reputation points Microsoft External Staff Moderator
    2024-10-21T17:23:54.15+00:00

    Hi @Marco Schaub,Thank you for your patience.

    The open-source Microsoft Entra pod-managed identity (preview) in Azure Kubernetes Service was deprecated on 10/24/2022, and the project archived in Sept. 2023.

    We recommend you review Microsoft Entra Workload ID. This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities to federate with any external identity providers on behalf of the application.

    Microsoft Entra Workload ID uses Service Account Token Volume Projection (that is, a service account), to enable pods to use a Kubernetes identity. A Kubernetes token is issued and OIDC federation enables Kubernetes applications to access Azure resources securely with Microsoft Entra ID, based on annotated service accounts. For more information, please go through this https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview?tabs=dotnet

    If you have any further queries, do let us know.


0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.