azwi serviceaccount create
Create a workload identity.
Synopsis
The “create” command executes the following phases in order:
aad-application Create Azure Active Directory (AAD) application and its underlying service principal
service-account Create Kubernetes service account in the current KUBECONFIG context and add azure-workload-identity labels and annotations to it
federated-identity Create federated identity credential between the AAD application and the Kubernetes service account
role-assignment Create role assignment between the AAD application and the Azure cloud resource
azwi serviceaccount create [flags]
Options
--aad-application-client-id string Client ID of the AAD application. If not specified, it will be fetched using the AAD application name
--aad-application-name string Name of the AAD application, If not specified, the namespace, the name of the service account and the hash of the issuer URL will be used
--aad-application-object-id string Object ID of the AAD application. If not specified, it will be fetched using the AAD application name
--auth-method string auth method to use. Supported values: cli, client_secret, client_certificate (default "cli")
--azure-env string the target Azure cloud (default "AzurePublicCloud")
--azure-role string Role of the AAD application (see all available roles at https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles)
--azure-scope string Scope at which the role assignment or definition applies to
--certificate-path string path to client certificate (used with --auth-method=client_certificate)
--client-id string client id (used with --auth-method=[client_secret|client_certificate])
--client-secret string client secret (used with --auth-method=client_secret)
-h, --help help for create
--private-key-path string path to private key (used with --auth-method=client_certificate)
--service-account-issuer-url string URL of the issuer
--service-account-name string Name of the service account
--service-account-namespace string Namespace of the service account (default "default")
--service-account-token-expiration duration Expiration time of the service account token. Must be between 1 hour and 24 hours (default 1h0m0s)
--service-principal-name string Name of the service principal that backs the AAD application. If this is not specified, the name of the AAD application will be used
--service-principal-object-id string Object ID of the service principal that backs the AAD application. If not specified, it will be fetched using the service principal name
--skip-phases strings List of phases to skip
-s, --subscription-id string azure subscription id (required)
Example
az login && az account set -s <SubscriptionID>
azwi serviceaccount create \
--service-account-name azwi-sa \
--service-account-issuer-url https://azwi.blob.core.windows.net/oidc-test/ \
--skip-phases role-assignment
Output
INFO[0000] No subscription provided, using selected subscription from Azure CLI: <SubscriptionID>
INFO[0003] skipping phase phase=role-assignment
INFO[0003] [aad-application] created an AAD application clientID=936ed007-52c2-4785-8c09-04eeca2e5970 name="default-azwi-sa-1g7d7NgSw9Q2EsSeafgx8uQKqR4q6zTrsPjDdrvN79Y=" objectID=19888f97-e0d3-4f61-8eb9-b87bf161e27d
INFO[0003] [aad-application] created service principal clientID=936ed007-52c2-4785-8c09-04eeca2e5970 name="default-azwi-sa-1g7d7NgSw9Q2EsSeafgx8uQKqR4q6zTrsPjDdrvN79Y=" objectID=4e3c51e5-ec74-40e2-8e28-2606803a048e
INFO[0003] [service-account] created Kubernetes service account name=azwi-sa namespace=default
INFO[0004] [federated-identity] added federated credential objectID=19888f97-e0d3-4f61-8eb9-b87bf161e27d subject="system:serviceaccount:default:azwi-sa"
Invoke a single phase of the create workflow
To invoke a single phase of the create workflow:
azwi sa create phase <phase name>