Migrate Amazon Web Services (AWS) web application to Azure Kubernetes Service (AKS)

This article outlines the steps necessary for migrating the Yelb application from AWS EKS to AKS. Please note that the Yelb application is self-contained and doesn't rely on external services, so it can be migrated from AWS to Azure without code changes.

Migrating from AWS IAM to Azure RBAC

If the web application on AWS uses an AWS Identity and Access Management (IAM) role for accessing managed services, you need to assign the role to the EKS pods to grant access to AWS resources. In Azure, you can assign a role to users, groups, service principals, or managed identities at a specific scope: management group, subscription, resource group, or resource. This allows you to grant specific permissions to the workload identity on a Microsoft Entra protected resource.

You can configure Azure RBAC using the following steps:

1. Create a user-assigned managed identity and Kubernetes service account for the workload.
2. Assign the necessary roles to the managed identity to let the AKS-hosted workload access the required Microsoft Entra protected resources.
3. Enable the OpenID Connect (OIDC) issuer and Microsoft Entra Workload ID on your AKS cluster. For detailed instructions, see Deploy and configure workload identity on an Azure Kubernetes Service (AKS) cluster.
4. Create a token federation for the managed identity with the Kubernetes service account used by the workload on AKS.

Microsoft Entra Workload ID uses Service Account Token Volume Projection, specifically a service account, to enable pods to use a Kubernetes identity. A Kubernetes token is issued and OIDC federation enables Kubernetes applications to securely access Azure resources with Microsoft Entra ID based on annotated service accounts.

Microsoft Entra Workload ID works well with the Azure Identity client libraries or the Microsoft Authentication Library, along with application registration. These libraries enable your workload to authenticate seamlessly and access Azure cloud resources. For more information, see Use Microsoft Entra Workload ID with Azure Kubernetes Service (AKS).

Next step

Prepare to deploy web application workload to Azure

Contributors

Microsoft maintains this article. The following contributors originally wrote it:

Principal author:

• Paolo Salvatori | Principal Customer Engineer

Other contributors:

• Ken Kilty | Principal TPM
• Russell de Pina | Principal TPM
• Erin Schaffer | Content Developer 2