Skip to content

Enhanced Storage services to use pod identities

To get access to Azure Resources(key vault, blob storage, service bus…) we use DefaultAzureCredential.clas, that tries to create a valid credential in the following order:

  • EnvironmentCredential;
  • ManagedIdentityCredential;
  • SharedTokenCacheCredential.

in deployment.yaml we done binding between the Azure identity and pod, that give ability to exclude credentials to access a azure service in code:

template:
  metadata:
     labels:
       app: {{ .Chart.Name }}
       aadpodidbinding: osdu-identity

but at the same time:

- name: AZURE_CLIENT_ID
     valueFrom:
        secretKeyRef:
          name: active-directory
          key: principal-clientid
- name: AZURE_CLIENT_SECRET
     valueFrom:
        secretKeyRef:
          name: active-directory
          key: principal-clientpassword
- name: AZURE_TENANT_ID
     valueFrom:
        secretKeyRef:
          name: active-directory
          key: tenantid

so therefore we always use EnvironmentCredential, but we would like to use pod managed identities and EnvironmentCredential only for local run.

In our understanding, in order to make a successful switch to pod managed identities for Azure Resource access, it is enough to delete AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, AZURE_TENANT_ID from deployment.yaml

Edited by Aliaksei Darafeyeu