How to use Azure CLI docker image inside Kubernetes?

Question

How to use Azure CLI docker image inside Kubernetes?

ScottShorkey 16

I have a use case where I need to run Azure CLI inside Kubernetes to make changes to an Azure route table.

My workflow is to have a Kubernetes deployment that uses the Azure CLI image (https://hub.docker.com/_/microsoft-azure-cli). This deployment will then log in to Azure and make changes to Azure route tables.

I've already written a script that uses the Azure CLI to make the route table changes. I'm struggling to figure out how to integrate it into Kubernetes.

I figure I have to use Azure Workload Identity to create a service principal that has Contributor access to the route table, so I went ahead and made a service principal and federated it to my Kubernetes service account (all the tutorials made it easy) but I can't figure out how to actually get my Azure CLI pod to actually consume those credentials. How do I use that service account to make Azure CLI docker image log in to Azure?

shiva patpi 13,366 Reputation points Microsoft Employee Moderator

2022-12-17T02:57:56.17+00:00
Hello @ScottShorkey ,
I just wanted to share my alternate thoughts based upon by research and local implementations, let me know if that helps:

Step1:-
Created a ServicePrincipal with Contributor scope over the subscription by using below command:
az ad sp create-for-rbac -n spforcli --role Contributor --scopes /subscriptions/{$subid}

Step2:- Created a pod with below configuration ;
2.1 It is logging in using Service Principal
2.2 It is trying to start the AKS cluster

apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: azcli
name: azcli
spec:
containers:

image: mcr.microsoft.com/azure-cli
name: azcli
command: ["/bin/sh"]
args: ["-c","az login --service-principal -u <clientID> -p <password> --tenant <subtenantid>;az aks start -g aks -n aks;sleep 1000000000"]
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}

If you still want to continue with Service Account , kindly share out the steps which you followed so that I can do my research & help you out !

Regards,
Shiva.
ScottShorkey 16 Reputation points

2022-12-19T17:39:52.607+00:00

I created an azure application & service principal and set up a federated identity credential to link it to a service account in kubernetes, and gave that service principal permissions to my azure resources. The service account is already created in my AKS cluster.

I just need to figure out how to use that service account to log into azure cli.

I really don't want to have passwords be passed as parameters so I don't like that solution above. I know for pulling secrets from keyvaults, there is a way to use the federated identity credential to service account route for keyvaults, I need to know how to do that for az cli.

1 answer

Your answer

shiva patpi 13,366 Reputation points Microsoft Employee Moderator

2022-12-17T02:57:56.17+00:00

Hello @ScottShorkey ,
I just wanted to share my alternate thoughts based upon by research and local implementations, let me know if that helps:

Step1:-
Created a ServicePrincipal with Contributor scope over the subscription by using below command:
az ad sp create-for-rbac -n spforcli --role Contributor --scopes /subscriptions/{$subid}

Step2:- Created a pod with below configuration ;
2.1 It is logging in using Service Principal
2.2 It is trying to start the AKS cluster

apiVersion: v1
kind: Pod
metadata:
creationTimestamp: null
labels:
run: azcli
name: azcli
spec:
containers:

image: mcr.microsoft.com/azure-cli
name: azcli
command: ["/bin/sh"]
args: ["-c","az login --service-principal -u <clientID> -p <password> --tenant <subtenantid>;az aks start -g aks -n aks;sleep 1000000000"]
resources: {}
dnsPolicy: ClusterFirst
restartPolicy: Always
status: {}

If you still want to continue with Service Account , kindly share out the steps which you followed so that I can do my research & help you out !

Regards,
Shiva.
ScottShorkey 16 Reputation points

2022-12-19T17:39:52.607+00:00

I created an azure application & service principal and set up a federated identity credential to link it to a service account in kubernetes, and gave that service principal permissions to my azure resources. The service account is already created in my AKS cluster.

I just need to figure out how to use that service account to log into azure cli.

I really don't want to have passwords be passed as parameters so I don't like that solution above. I know for pulling secrets from keyvaults, there is a way to use the federated identity credential to service account route for keyvaults, I need to know how to do that for az cli.

Answer 1

Hi @ScottShorkey ,

I think you have all the steps done correctly, but I think you are just missing the login command.
Anyways, you have two ways to acheive what you are looking for:

1- If the cluster has workload identity enabled (it seems this is what you have):

Get the OIDC issuer: export AKS_OIDC_ISSUER="$(az aks show -n myAKSCluster -g myResourceGroup --query "oidcIssuerProfile.issuerUrl" -otsv)"
Create a managed identity: az identity create --name "az-cli-identity" --resource-group myResourceGroup
Either from the portal or using CLI, grant the needed permessions to the managed identity (to modify the route table)
Get the client ID of the new identity: export USER_ASSIGNED_CLIENT_ID="$(az identity show --name "az-cli-identity" --resource-group myResourceGroup --query 'clientId' -otsv)"
- In the cluster, create a service account linked to the above identity:

cat <<EOF | kubectl apply -f -

apiVersion: v1  
kind: ServiceAccount  
metadata:  
  annotations:  
    azure.workload.identity/client-id: ${USER_ASSIGNED_CLIENT_ID}  
  labels:  
    azure.workload.identity/use: "true"  
  name: az-cli-sa

EOF

Create a federated credential: az identity federated-credential create --name fic-az-cli --identity-name az-cli-identity --resource-group myResourceGroup --issuer ${AKS_OIDC_ISSUER} --subject system:serviceaccount:default:az-cli-sa
Create the pod (note that I used the sleep command, you can use your own login command then pass your script)

cat <<EOF | kubectl apply -f -

apiVersion: v1  
kind: Pod  
metadata:  
  name: az-cli  
spec:  
  serviceAccountName: az-cli-sa  
  containers:  
    - image: mcr.microsoft.com/azure-cli  
      name: oidc  
      command:  
      - sleep  
      - "6000"

EOF

Exce inside the new pod using: kubectl exec -it az-cli -- bash
To login run (all the environment variables are exposed in the pod automatically): az login --service-principal -u $AZURE_CLIENT_ID -t $AZURE_TENANT_ID --federated-token $(cat $AZURE_FEDERATED_TOKEN_FILE)

2- if the cluster has managed identity, you can use the user assigned identity that gets created automatically for the cluster's VMs:

Deploy the pod (no service account references):

cat <<EOF | kubectl apply -f -

apiVersion: v1  
kind: Pod  
metadata:  
  name: az-cli  
spec:  
  containers:  
    - image: mcr.microsoft.com/azure-cli  
      name: oidc  
      command:  
      - sleep  
      - "6000"

EOF

Get the managed identity resource ID: az aks show -g resourceGroup -n clusterName --query "identityProfile.kubeletidentity.resourceId" -o tsv
Either from the portal or using CLI, grant the needed permessions to the managed identity (to modify the route table)
Execute inside the pod and run: az login --identity -u /subscriptions/subID/resourceGroups/MC_two_2_westeurope/providers/Microsoft.ManagedIdentity/userAssignedIdentities/2-agentpool

References:

I hope you find this helpful. Please accept the answer if you do, or reply back to me and I can assist further.

Thank you !

Share via

How to use Azure CLI docker image inside Kubernetes?

1 answer

Your answer