How to connect securely from AKS cluster to Azure PostgreSQL Single Server using Service principal as the Managed Identity is not supported.
Asked
Active
Viewed 237 times
1 Answers
0
From my point of view you have 2 options (maybe more but lets focus on those 2):
Use Azure AD Workload identity together with federated identity credential linked to you Service Principal. Basically you configure trust between your AKS (OIDC issuer), the Kubernetes Service Account for your Pod and the Azure Service principal to access resources with an Azure AD Token. Here you have to adopt the code running inside your container to leverage the workload identity with the issued Azure AD access token.
Use the Azure Key Vault Provider for Secrets Store CSI Driver. You will configure the Kubelet Identity of your AKS to read the secrets from the KeyVault and mount the Service Principal Client ID & Client Secret (saved as KeVault secrets) during Pod startup as volume into your pod. Here you have to adopt the code running inside your container to read the information (Client ID & Secret) from the filesystem inside the pod. P.s.: You can also use Workload Identity, System assigned identity or a Service Principal instead of managed-identity to access the KeyVault.
Philip Welz
- 2,449
- 5
- 12