Using a user-managed identity for AKS clusters

If managed identity for encryption is enabled, the managed identity is used for AKS as well, if you do not to provide a separate user-managed identity for AKS. The managed identity need to have the following permissions in addition to what is required for the PostgreSQL Flexible Server:

• Contributor on the resource group the AKS cluster is being created in
• Contributor on the resource group containing the network to be used
• Managed Identity Operator on the resource group containing additional managed identities (logger identity and so on)

You can use the identity create command in Azure CLI to create the managed identity and the role assignment create command to assign roles as shown in the following example:

$ az identity create -n aks-identity-example -g test-resource-group -l westus2
{
  "clientId": "25104331-3cdc-4a5e-9e8b-8afc066c9beb",
  "id": "/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/resourcegroups/test-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks-identity-example",
  "location": "westus2",
  "name": "test-aks-identity-example",
  "principalId": "25104331-3cdc-4a5e-9e8b-8afc066c9beb",
  "resourceGroup": "<resource-group-name>",
  "systemData": null,
  "tags": {},
  "tenantId": "49d9544f-09a2-4360-bfa7-7e08ad057157",
  "type": "Microsoft.ManagedIdentity/userAssignedIdentities"
}
$ az role assignment create --assignee 25104331-3cdc-4a5e-9e8b-8afc066c9beb --role "Contributor" --scope "/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/resourceGroups/aks-resource-group"
{
  "condition": null,
  "conditionVersion": null,
  "createdBy": null,
  "createdOn": "2023-11-27T14:00:50.679610+00:00",
  "delegatedManagedIdentityResourceId": null,
  "description": null,
  "id": "/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/resourceGroups/test-resource-group/providers/Microsoft.Authorization/roleAssignments/aaa3bec0-bf57-4e09-8b85-8b1652f3647a",
  "name": "aaa3bec0-bf57-4e09-8b85-8b1652f3647a",
  "principalId": "25104331-3cdc-4a5e-9e8b-8afc066c9beb",
  "principalType": "ServicePrincipal",
  "resourceGroup": "test-resource-group",
  "roleDefinitionId": "/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/providers/Microsoft.Authorization/roleDefinitions/098c7804-2b99-49bd-9dbd-eb188e4213c6",
  "scope": "/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/resourceGroups/aks-resource-group",
  "type": "Microsoft.Authorization/roleAssignments",
  "updatedBy": "bea2645f-78eb-4cc6-a269-f6108a74d48d",
  "updatedOn": "2023-11-27T14:00:51.037481+00:00"
}
$ az role assignment create --assignee 25104331-3cdc-4a5e-9e8b-8afc066c9beb --role "Contributor" --scope "/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/resourceGroups/network-resource-group"
{
  ...
}
$ az role assignment create --assignee 25104331-3cdc-4a5e-9e8b-8afc066c9beb --role "Managed Identity Operator" --scope "/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/resourceGroups/managed-identity-resource-group"
{
  ...
}
$ az role assignment create --assignee 25104331-3cdc-4a5e-9e8b-8afc066c9beb --role "Key Vault Crypto Officer" --scope "/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/resourceGroups/managed-identity-resource-group/providers/Microsoft.KeyVault/vaults/key-vault"
{
  ...
}

The managed identity need to have the following permissions:

• Contributor on the resource group the AKS cluster is being created in
• Contributor on the resource group containing the network to be used
• Managed Identity Operator on the resource group containing additional managed identities (logger identity etc.)

You can use the identity create command in Azure CLI to create the managed identity and the role assignment create command to assign roles as shown in the following example:

$ az identity create -n aks-identity-example -g test-resource-group -l westus2
{
  "clientId": "25104331-3cdc-4a5e-9e8b-8afc066c9beb",
  "id": "/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/resourcegroups/test-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks-identity-example",
  "location": "westus2",
  "name": "test-aks-identity-example",
  "principalId": "25104331-3cdc-4a5e-9e8b-8afc066c9beb",
  "resourceGroup": "<resource-group-name>",
  "systemData": null,
  "tags": {},
  "tenantId": "49d9544f-09a2-4360-bfa7-7e08ad057157",
  "type": "Microsoft.ManagedIdentity/userAssignedIdentities"
}
$ az role assignment create --assignee 25104331-3cdc-4a5e-9e8b-8afc066c9beb --role "Contributor" --scope "/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/resourceGroups/aks-resource-group"
{
  "condition": null,
  "conditionVersion": null,
  "createdBy": null,
  "createdOn": "2023-11-27T14:00:50.679610+00:00",
  "delegatedManagedIdentityResourceId": null,
  "description": null,
  "id": "/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/resourceGroups/test-resource-group/providers/Microsoft.Authorization/roleAssignments/aaa3bec0-bf57-4e09-8b85-8b1652f3647a",
  "name": "aaa3bec0-bf57-4e09-8b85-8b1652f3647a",
  "principalId": "25104331-3cdc-4a5e-9e8b-8afc066c9beb",
  "principalType": "ServicePrincipal",
  "resourceGroup": "test-resource-group",
  "roleDefinitionId": "/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/providers/Microsoft.Authorization/roleDefinitions/098c7804-2b99-49bd-9dbd-eb188e4213c6",
  "scope": "/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/resourceGroups/aks-resource-group",
  "type": "Microsoft.Authorization/roleAssignments",
  "updatedBy": "bea2645f-78eb-4cc6-a269-f6108a74d48d",
  "updatedOn": "2023-11-27T14:00:51.037481+00:00"
}
$ az role assignment create --assignee 25104331-3cdc-4a5e-9e8b-8afc066c9beb --role "Contributor" --scope "/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/resourceGroups/network-resource-group"
{
  ...
}
$ az role assignment create --assignee 25104331-3cdc-4a5e-9e8b-8afc066c9beb --role "Managed Identity Operator" --scope "/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/resourceGroups/managed-identity-resource-group"
{
  ...
}
$ az role assignment create --assignee 25104331-3cdc-4a5e-9e8b-8afc066c9beb --role "Key Vault Crypto Officer" --scope "/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/resourceGroups/managed-identity-resource-group/providers/Microsoft.KeyVault/vaults/key-vault"
{
  ...
}

If you have the managed identity for encryption enabled and a managed identity for AKS configured, the AKS managed identity must have the following permissions in addition to the already configured ones:

• If Key Vault is setup with RBAC permissions:

  • Key Vault Crypto Officer on Key Vault containing CMK if using managed identities with encryption

• If Key Vault is setup with Access policies:
  • Key Management Operations - ALL
  • Cryptographic Operations - ALL

You can create an environment with a managed identity by using the following command:

$ cdp environments create-azure-environment --environment-name "cert-env-example" --credential-name "cert-example" --data-services "azure={sharedManagedIdentity=/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/resourcegroups/test-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks-identity-example}"

You can also update an existing environment to add an AKS identity with the following command:

$ cdp environments update-data-service-resources --environment "cert-env-example" --data-services "azure={sharedManagedIdentity=/subscriptions/43ba24ce-df3c-4308-901d-a7006e345e55/resourcegroups/test-resource-group/providers/Microsoft.ManagedIdentity/userAssignedIdentities/aks-identity-example}"