Skip to content
This repository was archived by the owner on Oct 12, 2023. It is now read-only.

Security concerns of using managed identity using AAD Pod Identities #1019

Answered by chewong
psibi asked this question in Q&A
Discussion options

You must be logged in to vote

I can assign only a single user-managed identity to the AKS cluster.

Yes, that's correct. If you have --enable-managed-identity enabled when you create an AKS cluster, it will create one for you. That user-assigned identity is for cluster-wide operations.

I have to do the relevant role assignments to the identity for getting access.

In your use-case, you can create two new user-assigned identities (grant the first one access to keyvault and the second one to Azure DNS) and use aad-pod-identity to assign those identities to your pods. NMI will perform validations to make sure only the correct pod can access the correct identity.

Replies: 1 comment 5 replies

Comment options

You must be logged in to vote
5 replies
@psibi
Comment options

@tgwallenborg
Comment options

@chewong
Comment options

chewong Sep 24, 2021
Collaborator

@tgwallenborg
Comment options

@chewong
Comment options

chewong Sep 27, 2021
Collaborator

Answer selected by psibi
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Category
Q&A
Labels
None yet
3 participants