Share via

What is the cause of the following error - "getting assigned identities for pod <namespace>/<pod_name> in CREATED state failed after 20 attempts, retry duration [5]s" , while connecting to IMDS endpoint from a pod in AKS.

Mahalingam Vignesh 20 Reputation points
2024-07-08T17:50:19.59+00:00

I am trying to connect to Azure Key vault via user assigned managed identity from a pod of AKS.
I have provided the necessary RBAC role to the identity.
I have created Azure Identity and Azure Identity Binding.
I have updated my deployment with the selector from Azure Identity Binding in spec.template.metadata.labels.aadpodidentitybinding.
Below is the IMDS endpoint, I am trying to reach - http://169.254.169.254/metadata/identity/oauth2/token?api-version=2021-01-01&resource=https://vault.azure.net"
I am new to azure cloud and its resource. Kindly help me with this query.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,309 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
826 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,141 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,067 questions
0 comments
Accepted answer
  1. hossein jalilian 7,845 Reputation points
    2024-07-08T19:22:20.41+00:00

    Thanks for posting your question in the Microsoft Q&A forum.

    Here's a guide to help you troubleshoot and ensure everything is set up correctly:

    • Ensure that the user-assigned managed identity has the correct RBAC role assigned to access the Key Vault.
    • Confirm that the Azure Identity and Azure Identity Binding resources are correctly created and associated with your AKS cluster and the specific pod.
    • Verify that the deployment's pod template includes the correct label to match the Azure Identity Binding selector
    • The IMDS endpoint you're using (http://169.254.169.254/metadata/identity/oauth2/token) is correct. However, ensure you're including the necessary headers in your request, Metadata: true
    • Make sure your AKS cluster has the Azure AD Pod Identity add-on enabled
    • Ensure there are no network policies or firewalls blocking access to the IMDS endpoint or Azure Key Vault.

    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Mahalingam Vignesh 20 Reputation points
    2024-07-19T09:14:48.89+00:00

    Thanks for the answer.

    There was a network policy preventing the access.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.