What is the cause of the following error - "getting assigned identities for pod <namespace>/<pod_name> in CREATED state failed after 20 attempts, retry duration [5]s" , while connecting to IMDS endpoint from a pod in AKS.

Question

I am trying to connect to Azure Key vault via user assigned managed identity from a pod of AKS.
I have provided the necessary RBAC role to the identity.
I have created Azure Identity and Azure Identity Binding.
I have updated my deployment with the selector from Azure Identity Binding in spec.template.metadata.labels.aadpodidentitybinding.
Below is the IMDS endpoint, I am trying to reach - http://169.254.169.254/metadata/identity/oauth2/token?api-version=2021-01-01&resource=https://vault.azure.net"
I am new to azure cloud and its resource. Kindly help me with this query.

Answer 1

Thanks for posting your question in the Microsoft Q&A forum.

Here's a guide to help you troubleshoot and ensure everything is set up correctly:

• Ensure that the user-assigned managed identity has the correct RBAC role assigned to access the Key Vault.
• Confirm that the Azure Identity and Azure Identity Binding resources are correctly created and associated with your AKS cluster and the specific pod.
• Verify that the deployment's pod template includes the correct label to match the Azure Identity Binding selector
• The IMDS endpoint you're using (http://169.254.169.254/metadata/identity/oauth2/token) is correct. However, ensure you're including the necessary headers in your request, Metadata: true
• Make sure your AKS cluster has the Azure AD Pod Identity add-on enabled
• Ensure there are no network policies or firewalls blocking access to the IMDS endpoint or Azure Key Vault.

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

Answer 2

Thanks for the answer.

There was a network policy preventing the access.