Authenticate Azure MYSQL via aks pod without password

yd7474 60 Reputation points
2023-02-06T16:01:06.0566667+00:00

Hello,

I am searching for a solution to connect from an Azure AKS pod to a MySQL database without the need for a password or any manual token request. Ideally, the token should be retained automatically.

Will Workload Identity be able to resolve my issue and allow me to connect to the MySQL database without a password? If not, is there any alternative solution available?

Thank you for your assistance!

Azure
Azure
A cloud computing platform and infrastructure for building, deploying and managing applications and services through a worldwide network of Microsoft-managed datacenters.
1,166 questions
Azure Database for MySQL
Azure Database for MySQL
An Azure managed MySQL database service for app development and deployment.
802 questions
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS)
An Azure service that provides serverless Kubernetes, an integrated continuous integration and continuous delivery experience, and enterprise-grade security and governance.
2,063 questions
Microsoft Entra
{count} votes

Accepted answer
  1. Abdul Sajid Mohammed 470 Reputation points Microsoft Employee
    2023-02-06T21:32:24.9766667+00:00

    Hello Yd7474,

    Assuming you are referring to a Managed MySQL and if it supports Service Principle then you should be able to use the Kubelet user-assigned managed identity of the cluster., Such as the aks-clustername-agentpool identity. And if you want to to use a separate managed identity for each pod (not the 'shared' node identity) they'll need to use something like "aad-pod-identity" or the newer workload identity.

    To connect from an Azure AKS pod to a MySQL database without the need for a password or any manual token request, you can use Azure AD Managed Identity (preview) to authenticate the pod to the database. This method uses the pod's identity to automatically request an Azure AD token, which can then be used to access the database. The token is retained automatically, so there is no need for manual token requests. Azure AD Managed Identity is available in two types: system-assigned and user-assigned. System-assigned managed identities have their lifecycle tied to the resource that created them, while user-assigned managed identities can be used on multiple resources.

    If you are considering implementing Azure AD pod-managed identity on your AKS cluster, we recommend you first review the workload identity overview article to understand our recommendations and options to set up your cluster to use an Azure AD workload identity (preview). This authentication method replaces pod-managed identity (preview), which integrates with the Kubernetes native capabilities to federate with any external identity providers.

    Hope this helps, Please "Accept as Answer" and Upvote if it helped, so that it can help others in the community looking for help on similar topics. Thank you!

    Best Regards.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.