Skip to content

Pod Identity

Description

Most secured and esay way to connect to any service in azure is to use pod identities instead of using the service creentials. To connect to sql server, the new services/jobs needs to have apod identity. This document describes how to craete/configure the pod identities

Steps to add pod identity to a service

1) Make sure the flag "enablePodIdentity" in the release pipelines is turned on.

2) Deploy the new service/job. This will create an object "AzureidentityBinding"

3) Create the managed identities from Azure portal/Terraform in the -bankIdentities-use2-rg resource group. Name of Azure Identity should match the identity name in the "AzureidentityBinding" object

4) Create "AzureIdentity" object in the cluster. Just use any other existing AzureIdentity object an modify it.

5) Give managed identity the "Reader" access to the sql server or any other resource the pod needs access to. Usually give reader access to the "dev-bankShared-use2-rg"

6) Add the new managed identity to the "group" in azure portal. These group names in azure matches the database users in sql server. Ex, group for kyc database is -> "minority-dev-sql-idologykyc"

7) Assign AKS node pool identity "Managed Identity Operator" to the new identity. Use the below command

$AKSRESOURCEGROUP = 'stage-bankAksV2-use2-rg'
$AKSNAME = 'stage-bankV2-use2-aks'

$AKS_MSI = az aks show -g $AKSRESOURCEGROUP -n $AKSNAME --query identityProfile.kubeletidentity.clientId -otsv

az role assignment create --role "Managed Identity Operator" --assignee $AKS_MSI --scope <new Managed Identity(pod identity) resourceId>