Skip to main content
Version: 3.1

Deploy Portworx using Azure managed identity on new AKS cluster

Perform the following steps to enable Azure managed identity on new AKS cluster:

  1. Log in to Azure and set the subscription:

    az login
    az account set –subscription <Your-Azure-Subscription-UUID>

  2. Check locations to create AKS cluster:

    az account list-locations

  3. Create an Azure Resource Group:

    az group create –name <resource-group-name> –location <location>

  4. Create an AKS cluster with managed identities:

    az aks create -g <resource-group-name> -n <cluster-name> --enable-managed-identity

  5. Identify object and client IDs:

    az aks show -g <resource-group-name> -n <cluster-name> --query identityProfile

    For example:

    az aks show -g cass-rg -n msi-test --query identityProfile
    {
      "kubeletidentity": {
        "clientId": "68XXXXXX-f3a5-459d-9b57-XXXXXXXXXX70",
        "objectId": "c0XXXXXX-ba91-4c13-9456-XXXXXXXXXX35",
        "resourceId": "/subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/resourcegroups/MC_cass-rg_msi-test_eastus/providers/Microsoft.ManagedIdentity/userAssignedIdentities/msi-test-agentpool"
      }
    }

  6. Assign contributor role to managed identity:

    az role assignment create --assignee <objectId> --role "Contributor" --scope <resourceId>
    note

    The objectId is from the step #5, as well as the resourceId, though string needs to be cut after resource groups name /subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/resourcegroups/MC_cass-rg_msi-test_eastus, right before the providers

    For example:

    az role assignment create --assignee "c0XXXXXX-ba91-4c13-9456-XXXXXXXXXX35" --role "Contributor" --scope "/subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/resourcegroups/MC_cass-rg_msi-test_eastus"
    {
      "canDelegate": null,
      "condition": null,
      "conditionVersion": null,
      "description": null,
      "id": "/subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/resourceGroups/MC_cass-rg_msi-test_eastus/providers/Microsoft.Authorization/roleAssignments/d0XXXXXX-4e9f-452c-8e43-1a661eXXXXXX",
      "name": "d0XXXXXX-4e9f-452c-8e43-1a661eXXXXXX",
      "principalId": "c0XXXXXX-ba91-4c13-9456-XXXXXXXXXX35",
      "principalType": "ServicePrincipal",
      "resourceGroup": "MC_cass-rg_msi-test_eastus",
      "roleDefinitionId": "/subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/providers/Microsoft.Authorization/roleDefinitions/b2XXXXXX-6180-42a0-ab88-20f738XXXXXX",
      "scope": "/subscriptions/72XXXXXX-a431-4b8e-80ef-685510XXXXXX/resourceGroups/MC_cass-rg_msi-test_eastus",
      "type": "Microsoft.Authorization/roleAssignments"
    }

  7. Create a Kubernetes secret based on clientId that you retrieved in step 5:

    kubectl create secret generic -n <px-namespace> px-azure --from-literal=AZURE_CLIENT_ID="<clientId>

    For example:

    kubectl create secret generic -n portworx px-azure --from-literal=AZURE_CLIENT_ID="68XXXXXX-f3a5-459d-9b57-XXXXXXXXXX70”

  8. Follow the steps to generate the Operator and StorageCluster spec in Install Portworx on AKS using the Operator. Save the spec for the next step.

  9. Modify the StorageCluster spec that is automatically generated. In the env section, remove the AZURE_CLIENT_SECRET and AZURE_TENANT_ID sections or selecting Managed Identity option in the wizard. The finished section should match the following:

    env:
    name: AZURE_CLIENT_ID
      valueFrom:
        secretKeyRef:
          name: px-azure
          key: AZURE_CLIENT_ID