Skip to content

Commit

Permalink
More touchups
Browse files Browse the repository at this point in the history
  • Loading branch information
amitlicht committed Mar 10, 2024
1 parent 5249586 commit ebf6619
Show file tree
Hide file tree
Showing 2 changed files with 35 additions and 24 deletions.
57 changes: 34 additions & 23 deletions docs/features/azure-iam/tutorials/azure-iam-aks.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -141,17 +141,13 @@ kubectl apply -n otterize-tutorial-azure-iam -f ${ABSOLUTE_URL}/code-examples/az


### View logs for the client - access denied
The client logs will show that it fails to log in using the federated identity credentials and access the Azure Blob Storage container.
This is because we haven't yet applied any `ClientIntents` to this pod, so no role assignments have been created for it:
The client logs will show that the Azure client ID environment variable is not set.
This is because no Azure workload identity has been created for the client pod yet.

```text
Client - The time is: Sun Mar 10 18:27:31 UTC 2024
Client - The time is: Sun Mar 10 18:40:37 UTC 2024
Logging in using federated identity credentials
ERROR: No subscriptions found for <AZURE_CLIENT_ID>
Listing storage blob container otterizeazureiamtutorialcontainer in storage account otterizeazureiamtutorial
ERROR: Please run 'az login' to setup account.
Azure client ID not set
```

### Label the client pod to create an Azure workload identity
Expand All @@ -176,26 +172,24 @@ az identity list --query "[?starts_with(name,'ottr-uai-')]" --output table

In the output, you should see that a managed identity was created for the client workload, with the name starting with `ottr-uai-otterize-tutorial-azure-iam-client-...`:
```bash
Name Location TenantId PrincipalId ClientId ResourceGroup
--------------------------------------------------------------- ---------- ------------------------------------ ------------------------------------ ------------------------------------ ---------------
ottr-uai-otterize-tutorial-azure-iam-client-myAKSCluster-7d747a eastus f8b92b88-e477-41ad-a5af-079de8dc8210 1aa514ff-01cd-4856-8c76-e4d671aab79e d82c9ea7-9178-4e4a-bffa-23488c589d5e myResourceGroup
Name Location TenantId PrincipalId ClientId ResourceGroup
------------------------------------------------------------------------------------ ---------- ------------------------------------ ------------------------------------ ------------------------------------ ---------------------------------
ottr-uai-otterize-tutorial-azure-iam-client-otterizeAzureIAMTutorialAKSCluster-XXXXX eastus 00000000-0000-0000-0000-000000000000 00000000-0000-0000-0000-000000000000 00000000-0000-0000-0000-000000000000 otterizeAzureIAMTutorialResourceGroup
````
You could also inspect the federated identity credential created for the client workload:
```bash
export WORKLOAD_IDENTITY_NAME=$(az identity list --query "[?starts_with(name,'ottr-uai-otterize-tutorial-azure-iam-client-myAKSCluster')].name" -o tsv )
az identity federated-credential list --identity-name $WORKLOAD_IDENTITY_NAME --resource-group $RESOURCE_GROUP --output table
export WORKLOAD_IDENTITY_NAME=$(az identity list --query "[?starts_with(name,'ottr-uai-otterize-tutorial-azure-iam-client-$AKS_CLUSTER_NAME')].name" -o tsv )
az identity federated-credential list --identity-name $WORKLOAD_IDENTITY_NAME --resource-group $RESOURCE_GROUP --output table --query "[].{name:name, subject:subject}"
```

In the output, you should see that a federated identity credential was created for the client workload:
```bash
Issuer Name ResourceGroup Subject
---------------------------------------------------------------------------------------------------------------- --------------------------------------------------------------- --------------- --------------------------------------------------------
https://eastus.oic.prod-aks.azure.com/f8b92b88-e477-41ad-a5af-079de8dc8210/bd429a59-100e-4ed8-88d4-29643c922e05/ ottr-fic-otterize-tutorial-azure-iam-client-myAKSCluster-e54654 myResourceGroup system:serviceaccount:otterize-tutorial-azure-iam:client
Name Subject
------------------------------------------------------------------------------------ --------------------------------------------------------
ottr-fic-otterize-tutorial-azure-iam-client-otterizeAzureIAMTutorialAKSCluster-XXXXX system:serviceaccount:otterize-tutorial-azure-iam:client
```

[//]: # (TODO: rename to the IDs generated in the tutorial )
#### The Kubernetes ServiceAccount was annotated with the workload identity ID
The credentials operator automatically annotated the Kubernetes ServiceAccount for the client pod with the newly created workload identity

Expand All @@ -204,9 +198,15 @@ Let's look at the service account:
kubectl get serviceaccount -n otterize-tutorial-azure-iam client -o yaml
```

[//]: # (TODO: update me)
```yaml
TODO
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
# highlight-next-line
azure.workload.identity/client-id: 6fda2902-d98c-40f6-800d-29d5856e359a
name: client
namespace: otterize-tutorial-azure-iam
```
Expand All @@ -232,9 +232,20 @@ Let's look at the client logs again to see that no more errors are being reporte
kubectl logs -f -n otterize-tutorial-azure-iam deploy/client
```

[//]: # (# TODO: output)
```json
TODO
```text
Client - The time is: Sun Mar 10 18:53:24 UTC 2024
Logging in using federated identity credentials
CloudName HomeTenantId IsDefault Name State TenantId
----------- ------------------------------------ ----------- -------------------- ------- ------------------------------------
AzureCloud 00000000-0000-0000-0000-000000000000 True Azure subscription 1 Enabled 00000000-0000-0000-0000-000000000000
Listing storage blob container otterizeazureiamtutorialcontainer in storage account otterizeazureiamtutorial
Name Blob Type Blob Tier Length Content Type Last Modified Snapshot
------------ ----------- ----------- -------- -------------- ------------------------- ----------
testfile.txt BlockBlob Hot 25 text/plain 2024-03-10T18:07:21+00:00
```

### What's next?
Expand Down
2 changes: 1 addition & 1 deletion static/code-examples/azure-iam-aks/client.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,6 @@ spec:
echo 'Listing storage blob container' $AZURE_STORAGE_CONTAINER 'in storage account' $AZURE_STORAGE_ACCOUNT;
az storage blob list --container $AZURE_STORAGE_CONTAINER --account-name $AZURE_STORAGE_ACCOUNT --auth-mode login -o table;
echo;
sleep 5;
fi;
sleep 5;
done

0 comments on commit ebf6619

Please sign in to comment.