Concepts

Flow Diagram

Service Account

“A service account provides an identity for processes that run in a Pod.” - source

Azure AD Workload Identity supports the following mappings:

  • one-to-one (a service account referencing an AAD object)
  • many-to-one (multiple service accounts referencing the same AAD object).
  • one-to-many (a service account referencing multiple AAD objects by changing the client ID annotation).

Note: if the service account annotations are updated, you need to restart the pod for the changes to take effect.

Users who used aad-pod-identity can think of a service account as an AzureIdentity, except service account is part of the core Kubernetes API, rather than a CRD. This doc describes a list of available labels and annotations to configure.

Workload Identity Federation

Using workload identity federation allows you to access Azure Active Directory (Azure AD) protected resources without needing to manage secrets. This doc describes in detail on workload identity federation works and steps to create, delete, get or update federated identity credentials.