This chapter covers Azure Kubernetes Service (AKS) Role-Based Access Control (RBAC) and Workload Identity, two critical mechanisms for securing access within AKS clusters and to Azure resources. For the AZ-104 exam, approximately 10-15% of questions in the Compute domain touch on AKS security, with RBAC and Workload Identity being key subtopics. You will learn how to implement Kubernetes RBAC using Azure AD integration, how to configure Workload Identity for pods to access Azure services securely, and how these technologies interact with Azure Policy and managed identities. Mastering these concepts is essential for answering scenario-based questions about least-privilege access and secure resource access in AKS.
Jump to a section
Imagine a large hotel with multiple floors, rooms, and restricted areas like the gym, pool, and executive lounge. The hotel has a master key system. The general manager (Azure AD) issues key cards to guests (pods) and staff (services). Each key card has a set of permissions encoded on it: which floors the guest can access, which rooms they can enter, and which amenities they can use. The key card itself is a token. When a guest wants to enter a room, they present their key card to the door reader. The reader checks the card's permissions against the door's access control list (ACL). If the card has the right permission (e.g., 'read' access to room 305), the door unlocks. This is Kubernetes RBAC: a user or service account (the key card) is bound to a role (the set of permissions) via a RoleBinding or ClusterRoleBinding (the act of encoding the card). Now, for the guest to access a restricted area like the executive lounge, they might need to prove they are a VIP. Instead of a separate key card, the hotel can use a biometric scan that links to their identity. This is like Workload Identity: a pod (guest) uses a federated identity token (biometric) to authenticate to Azure AD and obtain an access token for Azure resources (the lounge). The biometric system verifies the guest's identity via Azure AD, then issues a temporary token that the guest uses to enter. The key difference: the key card (RBAC) controls access within the hotel (cluster), while the biometric system (Workload Identity) controls access to external services (Azure resources). Both use a token-based system, but the authentication source differs: internal for RBAC, external for Workload Identity.
What is AKS RBAC and Why It Exists
AKS RBAC is the combination of Kubernetes RBAC and Azure AD integration to control access to the AKS cluster itself and the resources within it. Kubernetes RBAC is a built-in authorization mechanism that governs who can do what within the cluster (e.g., create pods, read secrets, delete deployments). Azure AD integration allows you to use Azure AD as the identity provider for authentication, meaning users and groups from your Azure AD tenant can authenticate to the cluster using their existing credentials. This eliminates the need for separate Kubernetes user accounts and enables centralized identity management.
The purpose of AKS RBAC is to enforce the principle of least privilege: each user, group, or service account should have only the permissions necessary to perform their job. Without RBAC, any authenticated user could potentially perform any action, leading to security risks. The AZ-104 exam expects you to understand how to configure RBAC for AKS clusters, including enabling Azure AD integration, creating role bindings, and using ClusterRoles and Roles.
How AKS RBAC Works Internally
Authentication and authorization in AKS with Azure AD integration involves a two-step process:
Authentication: The user authenticates to Azure AD using their credentials (e.g., via az aks get-credentials). Azure AD returns an OAuth 2.0 access token or an ID token. The user then uses this token to authenticate to the AKS cluster's API server. The API server validates the token with Azure AD. Once validated, the API server extracts the user's identity (username, group memberships) from the token claims.
Authorization: The API server then evaluates Kubernetes RBAC rules. It checks whether the authenticated user (or the groups they belong to) has a RoleBinding or ClusterRoleBinding that grants the requested action (e.g., create pods) on the requested resource (e.g., the 'default' namespace). If a matching binding exists, the action is allowed; otherwise, it is denied.
Key components: - Role: A namespaced resource that defines a set of permissions (e.g., get, list, watch, create, delete) on resources (e.g., pods, services, secrets). - ClusterRole: A cluster-scoped resource that defines permissions across all namespaces or on cluster-scoped resources (e.g., nodes, persistent volumes). - RoleBinding: Grants the permissions defined in a Role to a user, group, or service account within a specific namespace. - ClusterRoleBinding: Grants the permissions defined in a ClusterRole to a user, group, or service account across the entire cluster.
For Azure AD integration, you must enable the --enable-aad flag when creating the AKS cluster (or update an existing cluster). You also need to specify the --aad-admin-group-object-ids parameter to grant cluster admin permissions to specific Azure AD groups. Without this, no users have any permissions initially.
Workload Identity: What It Is and Why It Exists
Workload Identity is a feature that allows pods in AKS to authenticate to Azure AD and access Azure resources (e.g., Azure Storage, Azure SQL Database, Key Vault) without managing secrets. It is the recommended approach for pod identity in AKS, replacing the older AAD Pod Identity (now deprecated). Workload Identity uses Azure AD's federated identity credential feature: you create a user-assigned managed identity in Azure AD and configure a federated identity credential that trusts tokens issued by the cluster's OIDC issuer. Pods can then request an access token from Azure AD using their projected service account token (a Kubernetes-bound token).
This solves the problem of securely providing credentials to pods. Traditionally, you would store connection strings or keys in Kubernetes secrets, which are vulnerable to exposure. With Workload Identity, no secrets are stored; the pod uses its service account identity to obtain tokens dynamically.
How Workload Identity Works Internally
Setup: You create a user-assigned managed identity in Azure (or use an existing one). You configure a federated identity credential on that managed identity, specifying:
- The OIDC issuer URL of the AKS cluster (e.g., https://eastus.oic.prod-aks.azure.com/...)
- The subject identifier: a string that matches the Kubernetes service account's iss and sub claims. Typically, this is system:serviceaccount:<namespace>:<serviceaccount-name>.
- The audience: usually api://AzureADTokenExchange or a custom value.
Pod Deployment: You create a Kubernetes service account (e.g., my-sa) in the desired namespace. You annotate the service account with azure.workload.identity/client-id set to the client ID of the managed identity. You also set azure.workload.identity/use: "true" to indicate this service account is used for workload identity.
Token Projection: When a pod is created with this service account, the cluster's OIDC issuer issues a Kubernetes-bound token (a JWT) that is projected into the pod as a volume mount (at /var/run/secrets/azure/workload-identity/token). This token includes the service account's iss and sub claims.
Authentication: The pod's application code (or the Azure Identity SDK) uses this token to request an access token from Azure AD. It presents the projected token to Azure AD's token endpoint (https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token). Azure AD validates the token against the federated identity credential: it checks that the token's iss matches the OIDC issuer URL and the sub matches the subject. If valid, Azure AD returns an access token for the managed identity.
Resource Access: The pod uses the access token to call Azure Resource Manager or other Azure services (e.g., https://storage.azure.com). The access token is short-lived (typically 1 hour) and must be refreshed before expiry.
Key Values and Defaults
AKS OIDC issuer URL: can be retrieved via az aks show -n <cluster> -g <rg> --query oidcIssuerProfile.issuerUrl
Token expiry: Kubernetes-bound tokens have a default TTL of 1 hour, configurable via --service-account-token-expiration on the cluster.
Federated identity credential subject format: system:serviceaccount:<namespace>:<service-account-name>
Audience: api://AzureADTokenExchange is the default.
Managed identity client ID: found in Azure portal or via Azure CLI.
Configuration and Verification Commands
Enable Azure AD integration on an existing cluster:
az aks update -n <cluster> -g <rg> --enable-aad --aad-admin-group-object-ids <group-id>Create a Role and RoleBinding:
# role-pod-reader.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: default
name: pod-reader
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch"]kubectl apply -f role-pod-reader.yaml# rolebinding-pod-reader.yaml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: read-pods
namespace: default
subjects:
- kind: User
name: "user@contoso.com"
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: Role
name: pod-reader
apiGroup: rbac.authorization.k8s.iokubectl apply -f rolebinding-pod-reader.yamlEnable Workload Identity on a cluster:
az aks update -n <cluster> -g <rg> --enable-oidc-issuer --enable-workload-identityCreate a service account for Workload Identity:
# sa-workload.yaml
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
azure.workload.identity/client-id: "<managed-identity-client-id>"
azure.workload.identity/use: "true"
name: my-sa
namespace: defaultkubectl apply -f sa-workload.yamlVerify Workload Identity token projection:
kubectl exec -it <pod-name> -- cat /var/run/secrets/azure/workload-identity/tokenHow It Interacts with Related Technologies
Azure Policy: You can use Azure Policy to enforce RBAC configurations (e.g., ensure all namespaces have a RoleBinding for a specific group). Azure Policy for AKS uses Gatekeeper (OPA) to audit and enforce policies.
Managed Identities: Workload Identity uses user-assigned managed identities. System-assigned managed identities are not supported for Workload Identity because they are tied to the resource lifecycle and cannot be shared across pods.
Azure AD Conditional Access: If a user authenticates via Azure AD, Conditional Access policies (e.g., MFA requirements) apply before they can access the cluster. This adds an extra layer of security.
Kubernetes Service Accounts: Workload Identity requires a Kubernetes service account. The service account is annotated to link it to the Azure AD managed identity. The service account itself has no permissions within the cluster unless bound via RBAC.
Trap Patterns on the Exam
Confusing Role and ClusterRole: A Role is namespaced; a ClusterRole is cluster-wide. If you need to grant access to a resource that exists only in a specific namespace, use a Role. If you need to grant access to cluster-scoped resources (nodes, PVs) or to resources across all namespaces, use a ClusterRole.
Confusing RoleBinding and ClusterRoleBinding: A RoleBinding binds a Role to subjects within a specific namespace. A ClusterRoleBinding binds a ClusterRole to subjects cluster-wide. You can also use a RoleBinding to bind a ClusterRole to subjects within a namespace (this is common for reusing cluster-wide roles in a namespace).
Workload Identity vs. AAD Pod Identity: Workload Identity is the replacement for AAD Pod Identity. The exam may ask which is the recommended approach. Workload Identity is simpler and more secure because it does not require a mutating admission webhook or custom resource definitions (CRDs).
Service Account Permissions: A Kubernetes service account used for Workload Identity does not automatically have permissions to access Azure resources. You must grant the managed identity the necessary Azure RBAC roles (e.g., Contributor on a storage account). The service account only authenticates; authorization is done via Azure RBAC.
Federated Identity Credential Subject: The subject must exactly match the service account's iss and sub claims. If you change the namespace or service account name, you must update the federated credential. A common mistake is using the wrong subject format (e.g., forgetting the system:serviceaccount: prefix).
Enable Azure AD Integration on AKS
When you create or update an AKS cluster with Azure AD integration, the API server is configured to accept tokens from Azure AD. You specify one or more Azure AD groups as cluster admins via `--aad-admin-group-object-ids`. These groups get the `cluster-admin` ClusterRole in Kubernetes, granting full access. For non-admin users, you must create RoleBindings or ClusterRoleBindings. The Azure AD tenant used must be the same as the one associated with your Azure subscription. Authentication flow: user runs `az aks get-credentials` which obtains an Azure AD token and merges it into kubeconfig. The token is used for subsequent kubectl commands. The API server validates the token by calling Azure AD's token validation endpoint.
Create Custom Roles and Bindings for Users
Define a Role (namespaced) or ClusterRole (cluster-wide) with specific verbs and resources. For example, a Role that allows reading pods: `rules: - apiGroups: [""] resources: ["pods"] verbs: ["get", "list"]`. Then bind it to an Azure AD user or group via RoleBinding or ClusterRoleBinding. The subject's `name` field must be the user's Azure AD UPN (e.g., `user@contoso.com`) for users, or the group's object ID for groups. When a group is used, all members of that Azure AD group inherit the permissions. This is a common pattern: assign permissions to groups rather than individual users for easier management. The exam tests that you know how to specify the subject correctly: use `kind: User` for individual users, `kind: Group` for Azure AD groups.
Enable OIDC Issuer and Workload Identity on Cluster
Workload Identity requires the cluster to have an OIDC issuer URL. Run `az aks update --enable-oidc-issuer --enable-workload-identity`. This creates an OIDC issuer endpoint for the cluster and installs the workload identity mutating admission webhook. The webhook automatically adds the projected token volume and environment variables to pods that use a service account annotated with `azure.workload.identity/use: true`. The OIDC issuer URL is unique per cluster and is used by Azure AD to validate tokens. You can retrieve it with `az aks show -n <cluster> -g <rg> --query oidcIssuerProfile.issuerUrl`. This URL must be registered in the federated identity credential.
Create User-Assigned Managed Identity and Federated Credential
Create a user-assigned managed identity in Azure (e.g., `az identity create -n myid -g myrg`). Then configure a federated identity credential on that identity. Use Azure CLI: `az identity federated-credential create --name myfedcred --identity-name myid --resource-group myrg --issuer <oidc-issuer-url> --subject system:serviceaccount:default:my-sa --audiences api://AzureADTokenExchange`. The `--subject` must match the service account's namespace and name exactly. The `--audiences` must match what the pod will request (default is `api://AzureADTokenExchange`). This federated credential tells Azure AD that tokens from this cluster's OIDC issuer with this subject are valid for the managed identity.
Deploy Pod with Workload Identity Service Account
Create a Kubernetes service account with annotations: `azure.workload.identity/client-id: <managed-identity-client-id>` and `azure.workload.identity/use: "true"`. Then create a pod that uses this service account. The mutating webhook will inject the following into the pod: a volume mount at `/var/run/secrets/azure/workload-identity/token` containing the projected token, and environment variables `AZURE_CLIENT_ID`, `AZURE_TENANT_ID`, and `AZURE_FEDERATED_TOKEN_FILE`. The application can use the Azure Identity SDK (e.g., `DefaultAzureCredential`) to automatically use this token to obtain an access token from Azure AD. The projected token has a lifetime of 1 hour by default. The pod must refresh the token before expiry by re-authenticating. The SDK handles this automatically.
Grant Azure RBAC Permissions to Managed Identity
The managed identity must have permissions on the target Azure resource (e.g., storage account, Key Vault). Assign an Azure RBAC role to the managed identity using Azure CLI or portal. For example, to allow reading blobs: `az role assignment create --assignee <managed-identity-client-id> --role "Storage Blob Data Reader" --scope /subscriptions/.../resourceGroups/.../providers/Microsoft.Storage/storageAccounts/...`. Without this, the pod will authenticate successfully but be denied access to the resource. The exam may test that you understand the separation: Workload Identity handles authentication (proving who you are), while Azure RBAC handles authorization (what you can do).
Verify Access and Monitor Token Expiry
After deployment, test access by exec-ing into the pod and using the Azure CLI or SDK to call the target resource. For example, `kubectl exec -it <pod> -- az storage blob list --account-name <account> --container-name <container>`. If it fails, check: (1) the projected token exists and is valid, (2) the federated credential subject matches, (3) the managed identity has the correct RBAC role assignment. Monitor token expiry: the projected token expires after 1 hour. The Azure Identity SDK will automatically refresh it by obtaining a new token from Azure AD using the same federated credential. If the pod runs for longer than 1 hour, the refresh should happen seamlessly. However, if the pod is restarted, it gets a new token. Logs can be viewed via Azure Monitor or kubectl logs.
Enterprise Scenario 1: Microservices Accessing Azure SQL Database
A financial services company runs a microservices application on AKS. Each microservice needs to read/write to a specific Azure SQL database. Using Workload Identity, they create a user-assigned managed identity for each microservice (e.g., order-svc-id, payment-svc-id). Each managed identity is granted the necessary permissions on the corresponding SQL database (e.g., db_datareader, db_datawriter). The service account for each pod is annotated with the respective client ID. This setup ensures that if a pod is compromised, only the specific database it accesses is at risk. The company also uses Azure RBAC to restrict the managed identities from accessing other resources. In production, they have 50 microservices, each with its own identity. They automate the creation of federated credentials using Terraform. A common issue is that developers forget to update the federated credential subject when they rename a namespace, causing authentication failures. They use Azure Policy to enforce naming conventions and audit that each service account has the correct annotations.
Enterprise Scenario 2: CI/CD Pipeline Access to AKS
A DevOps team uses Azure DevOps to deploy to AKS. They need to grant the pipeline agent (running as a service principal) permissions to deploy pods to a specific namespace. They create an Azure AD group aks-deployers and add the service principal to it. They then create a RoleBinding in the target namespace that grants the group cluster-admin or a custom role with deploy permissions. The pipeline uses az aks get-credentials with the service principal to authenticate. This is more secure than using a static kubeconfig file. The team also uses Azure RBAC to restrict the service principal to only the AKS cluster (via Contributor role on the cluster). A common mistake is giving the service principal cluster-wide permissions when only a namespace is needed. The exam tests that you can configure Azure AD integration for non-admin users and assign least-privilege roles.
Scenario 3: Podcast Hosting Platform with Key Vault Integration
A media company stores secrets (e.g., API keys, certificates) in Azure Key Vault. Their AKS-hosted podcast processing application needs to access these secrets. They use Workload Identity with a user-assigned managed identity that has Key Vault Secrets User role on the vault. The pod's service account is annotated, and the application uses the Azure Identity SDK to fetch secrets at startup. They set up a federated identity credential for each environment (dev, test, prod) with different managed identities. In production, they have autoscaling pods that all share the same service account. This works because the federated credential subject is the same for all pods (same service account). However, if they need different permissions per pod, they must use separate service accounts. A pitfall is that the projected token is mounted as a file, and if the pod runs as non-root, the file permissions must allow reading. The mutating webhook sets the file to be readable by all users by default. They also set up alerts on Azure AD sign-in logs for failed token exchanges, which indicate misconfigured federated credentials.
The AZ-104 exam tests AKS RBAC and Workload Identity under objective 3.3 (Configure compute resources) and 3.4 (Monitor and troubleshoot). Specifically, you should expect questions on:
Enabling Azure AD integration for AKS (objective 3.3)
Creating Role and ClusterRole definitions (3.3)
Binding roles to Azure AD users/groups (3.3)
Configuring Workload Identity (3.3)
Differences between Kubernetes RBAC and Azure RBAC (3.3)
Troubleshooting access issues (3.4)
Common Wrong Answers and Why
"Use a ClusterRoleBinding for namespace-specific permissions." This is wrong because ClusterRoleBinding grants permissions cluster-wide. For namespace-specific permissions, use a RoleBinding that references a Role or a ClusterRole (but binding it to a namespace via RoleBinding restricts it to that namespace).
"Workload Identity requires a system-assigned managed identity." This is false. Workload Identity requires a user-assigned managed identity because the identity must be independent of the pod's lifecycle and shareable across pods. System-assigned identities are tied to a specific resource and cannot be used for federated credentials.
"After enabling Azure AD integration, all Azure AD users can access the cluster." This is incorrect. Only users who are explicitly bound to a Role via RoleBinding or ClusterRoleBinding have permissions. The --aad-admin-group-object-ids parameter grants admin access only to specified groups. Without bindings, users have no access.
"Workload Identity uses the pod's managed identity directly." The pod does not have a managed identity; it uses a service account token to obtain an access token for a user-assigned managed identity. The managed identity is separate from the pod.
Specific Numbers and Terms
The default token expiry for projected service account tokens is 1 hour.
The audience for federated identity credentials is api://AzureADTokenExchange.
The subject format is system:serviceaccount:<namespace>:<service-account-name>.
The OIDC issuer URL is obtained via az aks show --query oidcIssuerProfile.issuerUrl.
--aad-admin-group-object-ids accepts comma-separated Azure AD group object IDs.
Edge Cases and Exceptions
If you use --enable-aad on an existing cluster, you must also specify --aad-admin-group-object-ids to avoid locking yourself out. If you forget, you can still access the cluster via the Azure CLI with --admin flag (which uses certificate-based authentication).
Workload Identity does not support system-assigned managed identities. If you try to use one, the federated credential creation will fail.
The federated credential subject is case-sensitive. system:serviceaccount:default:my-sa is different from system:serviceaccount:Default:my-sa.
If a pod uses a service account without the annotation, the mutating webhook will not inject the token volume, and Workload Identity will not work.
How to Eliminate Wrong Answers
For RBAC questions, identify whether the permission is needed in a specific namespace or cluster-wide. If the question mentions "only in the development namespace," choose a RoleBinding, not a ClusterRoleBinding.
For Workload Identity questions, look for keywords like "federated identity credential," "user-assigned managed identity," and "OIDC issuer." If the answer mentions "AAD Pod Identity," it is outdated and likely wrong unless the question explicitly asks about it.
If a question asks how to grant a group of developers read-only access to pods in a namespace, the correct answer is to create a Role with get/list/watch permissions on pods and bind it to the Azure AD group via RoleBinding. A common distractor is to use a ClusterRoleBinding, which would grant access to all namespaces.
AKS RBAC with Azure AD requires explicit RoleBindings or ClusterRoleBindings to grant permissions to users/groups.
The `--aad-admin-group-object-ids` parameter grants cluster-admin permissions to specified Azure AD groups.
Workload Identity uses user-assigned managed identities and federated identity credentials; system-assigned identities are not supported.
The federated identity credential subject must exactly match `system:serviceaccount:<namespace>:<service-account-name>`.
The default audience for Workload Identity tokens is `api://AzureADTokenExchange`.
Workload Identity replaces the deprecated AAD Pod Identity; do not use AAD Pod Identity in new deployments.
To grant a pod access to an Azure resource, assign the managed identity an Azure RBAC role on that resource.
These come up on the exam all the time. Here's how to tell them apart.
Kubernetes RBAC (with Azure AD)
Controls access to Kubernetes resources (pods, services, deployments) within the cluster.
Uses Roles, ClusterRoles, RoleBindings, ClusterRoleBindings.
Subjects are Azure AD users, groups, or service accounts.
Managed via kubectl and YAML manifests.
Does not control access to Azure resources outside the cluster.
Azure RBAC for AKS
Controls access to Azure resources (e.g., AKS cluster itself, storage accounts).
Uses Azure role definitions and assignments at management plane level.
Subjects are Azure AD users, groups, or service principals.
Managed via Azure CLI, portal, or ARM templates.
Does not control access to Kubernetes resources inside the cluster.
Workload Identity
Uses federated identity credentials and OIDC issuer.
No mutating admission webhook or CRDs required.
Token is projected as a file into the pod.
Recommended by Microsoft for new deployments.
Works with any Azure Identity SDK (e.g., DefaultAzureCredential).
AAD Pod Identity (Deprecated)
Uses AzureIdentity and AzureIdentityBinding CRDs.
Requires a mutating admission webhook (MIC) and NMI daemon.
Token is obtained via a local host endpoint (169.254.169.254).
Deprecated and will not receive updates.
Older SDKs may require special configuration.
Mistake
Azure AD integration for AKS automatically grants all Azure AD users access to the cluster.
Correct
No, you must explicitly bind Azure AD users or groups to Kubernetes roles via RoleBindings or ClusterRoleBindings. Without bindings, users cannot perform any actions.
Mistake
Workload Identity and AAD Pod Identity are the same thing.
Correct
Workload Identity is the newer, recommended approach. AAD Pod Identity is deprecated. Workload Identity is simpler, does not require a mutating admission webhook or CRDs, and uses federated identity credentials.
Mistake
A Kubernetes service account used for Workload Identity automatically has permissions to access Azure resources.
Correct
The service account only authenticates to Azure AD. Authorization is done via Azure RBAC: you must assign the managed identity the necessary roles on the target resource.
Mistake
You can use a system-assigned managed identity with Workload Identity.
Correct
Workload Identity requires a user-assigned managed identity. System-assigned identities are tied to a specific Azure resource and cannot be used with federated identity credentials.
Mistake
To grant a user access to a specific namespace, you should use a ClusterRoleBinding with a Role that has namespace scope.
Correct
A ClusterRoleBinding grants permissions cluster-wide. To restrict to a namespace, use a RoleBinding that binds a Role (or a ClusterRole) to the user within that namespace.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Use the `az aks update` command with the `--enable-aad` flag and specify `--aad-admin-group-object-ids` to grant admin access to Azure AD groups. For example: `az aks update -n myCluster -g myRG --enable-aad --aad-admin-group-object-ids <group-id>`. This enables Azure AD authentication. Non-admin users must be bound via Kubernetes RBAC.
A Role is namespaced and grants permissions only within a specific namespace. A ClusterRole is cluster-scoped and can grant permissions across all namespaces or on cluster-scoped resources (e.g., nodes, persistent volumes). You can also bind a ClusterRole to a namespace using a RoleBinding, which restricts its permissions to that namespace.
In a VM, the managed identity is assigned to the VM itself, and the Azure Instance Metadata Service (IMDS) provides tokens. In AKS, pods are ephemeral and cannot have a managed identity directly assigned. Workload Identity uses a federated identity credential to allow a pod's service account token to be exchanged for a managed identity token. The pod does not have a managed identity; it borrows one.
Yes, you can use the same user-assigned managed identity for multiple pods by having them use the same service account (annotated with the same client ID). All pods will then share the same identity. If you need different permissions, create separate managed identities and service accounts.
The projected token has a default TTL of 1 hour. The Azure Identity SDK (e.g., DefaultAzureCredential) automatically refreshes the token by obtaining a new one from Azure AD using the same federated credential. The pod must be running to refresh; if the pod is restarted, it gets a new token. If the SDK does not refresh in time, the access token may expire, causing authentication failures.
Check that the pod has the projected token file at `/var/run/secrets/azure/workload-identity/token`. Verify the service account annotations: `azure.workload.identity/client-id` and `azure.workload.identity/use: "true"`. Ensure the federated identity credential subject matches the service account namespace and name. Check that the managed identity has the correct Azure RBAC role assignments. Use `kubectl logs` to see authentication errors.
The OIDC issuer URL is a unique endpoint for your AKS cluster that issues tokens for service accounts. It is required for configuring federated identity credentials. Retrieve it using: `az aks show -n <cluster> -g <rg> --query oidcIssuerProfile.issuerUrl`. The URL looks like `https://eastus.oic.prod-aks.azure.com/<guid>/`.
You've just covered AKS RBAC and Workload Identity — now see how well it sticks with free AZ-104 practice questions. Full explanations included, no account needed.
Done with this chapter?