Managed Clusters

For managed clusters, the service account signing keys will be set up and managed by the cloud provider.

Before deploying Azure AD Workload Identity, you will need to enable any OIDC-specific feature flags and obtain the OIDC issuer URL when setting up the federated identity credentials.

Azure Kubernetes Service (AKS)

To create a new AKS cluster with OIDC Issuer URL enabled or update an existing cluster, follow the instructions in the Azure Kubernetes Service (AKS) documentation.

To get your cluster’s OIDC issuer URL run:

# Output the OIDC issuer URL
az aks show --resource-group <resource_group> --name <cluster_name> --query "oidcIssuerProfile.issuerUrl" -otsv

Amazon Elastic Kubernetes Service (EKS)

EKS cluster has an OIDC issuer URL associated with it by default. To get your cluster’s OIDC issuer URL run:

# Output the OIDC issuer URL
aws eks describe-cluster --name <cluster_name> --query "cluster.identity.oidc.issuer" --output text

Refer to the Amazon EKS documentation for more information on the OIDC issuer URL for the EKS cluster.

Google Kubernetes Engine (GKE)

GKE cluster has an OIDC issuer URL associated with it by default. Follow the steps to get the OIDC issuer URL.

Steps to get the OIDC issuer URL from a generic managed cluster

In this section, we will cover how to get the OIDC issuer URL from a generic managed cluster using a jump pod.

1. Create a service account for the jump pod

Run the following commands to set up a service account for the jump pod:

export NAMESPACE="default"
export SERVICE_ACCOUNT_NAME="jump-pod-sa"

kubectl create serviceaccount ${SERVICE_ACCOUNT_NAME} -n ${NAMESPACE}
Output
serviceaccount/jump-pod-sa created

2. Deploy a jump pod referencing the service account

Deploy a jump pod with projected service account token to your cluster. The jump pod uses the step-cli docker image that is used for inspecting the service account token to retrieve the OIDC issuer URL.

cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: Pod
metadata:
  name: jump
  namespace: ${NAMESPACE}
spec:
  containers:
  - image: smallstep/step-cli
    name: step-cli
    command:
    - /bin/sh
    - -c
    - cat /var/run/secrets/tokens/test-token | step crypto jwt inspect --insecure
    volumeMounts:
    - mountPath: /var/run/secrets/tokens
      name: test-token
  serviceAccountName: ${SERVICE_ACCOUNT_NAME}
  volumes:
  - name: test-token
    projected:
      sources:
      - serviceAccountToken:
          path: test-token
          expirationSeconds: 3600
          audience: test
EOF
Output
pod/jump created

3. Get the OIDC issuer URL from the jump pod

The jump pod logs will contain the decoded JWT. Run the following command to get the logs and extract the OIDC issuer URL:

kubectl logs jump -n ${NAMESPACE}
Output
{
  "header": {
    "alg": "RS256",
    "kid": "[REDACTED]"
  },
  "payload": {
    "aud": [
      "test"
    ],
    "exp": 1634671190,
    "iat": 1634667590,
    "iss": "https://container.googleapis.com/v1/projects/[REDACTED]/locations/us-central1-c/clusters/[REDACTED]",
    "kubernetes.io": {
      "namespace": "default",
      "pod": {
        "name": "jump",
        "uid": "c4e09c90-3007-4255-ab74-f5f97d944db2"
      },
      "serviceaccount": {
        "name": "jump-pod-sa",
        "uid": "6af8dfb1-8a28-48f8-a7fe-e2abd99cd35e"
      }
    },
    "nbf": 1634667590,
    "sub": "system:serviceaccount:default:jump-pod-sa"
  },
  "signature": "[REDACTED]"
}

The OIDC issuer URL is the value of the iss claim in the JWT.

To just get the issuer from the JWT, run the following command:

kubectl logs jump -n ${NAMESPACE} | jq -r '.payload.iss'
Output
https://container.googleapis.com/v1/projects/[REDACTED]/locations/us-central1-c/clusters/[REDACTED]

4. Cleanup

kubectl delete pod jump -n ${NAMESPACE}
kubectl delete serviceaccount ${SERVICE_ACCOUNT_NAME} -n ${NAMESPACE}