Azure IAM
Otterize can create just-in-time Azure IAM workload identities & role assignments for your workloads running on AKS Kubernetes clusters, greatly simplifying the lifecycle of managing Azure IAM identities and roles.
Tutorials
To learn how to use the Intents Operator and Credentials Operator to manage just-in-time Azure IAM access, check out the tutorial.
How does Otterize work with Azure IAM?
- First, the AKS cluster must have Otterize installed, as well as the Otterize Azure integration configured.
- To have a workload identity created for a pod, label the pod with
credentials-operator.otterize.com/create-azure-workload-identity: "true"
- The credentials operator will create an Azure workload identity and federated identity credential bound to the pod's ServiceAccount. The ServiceAccount will be annotated automatically.
- At this point, the pod is able to assume the identity, but it does not have the permissions to perform any actions. We will need to create a ClientIntents YAML for the access the service requires and apply it to our cluster. Below is an example of a ClientIntents file for accessing an Azure Storage Blobs bucket. View the reference to learn more about the Azure IAM ClientIntents syntax.
- Once the intent is applied, the intents operator will create a new role assignment, which will be attached to the workload identity with the appropriate access.
- Done!
apiVersion: k8s.otterize.com/v1alpha3
kind: ClientIntents
metadata:
name: client
namespace: otterize-tutorial-azure-iam
spec:
service:
name: client
calls:
- name: "/providers/Microsoft.Storage/storageAccounts/otterizetutorialazureiam/blobServices/default/containers/test"
type: azure
azureRoles:
- "Storage Blob Data Contributor"
- name: "/providers/Microsoft.KeyVault/vaults/otterizetutorialazureiamkeyvault"
type: azure
# Optional - Grant Azure Key Vault data plane access by using Key Vault access policy
azureKeyVaultPolicy:
certificatePermissions:
- "all"
keyPermissions:
- "all"
secretPermissions:
- "all"
storagePermissions:
- "get"
- "list"
Automatically generating ClientIntents for Azure IAM
Figuring out which access you need for Azure can be a painful, trial and error process, and something you must do if you're tightening production access.
Otterize is getting ready to release support for using existing traffic to generate least-privilege Azure IAM policies. Keen to try this out as part of early access? Sign up to the Early Access Beta Program and we'll be in touch!