AKS Pod Identity allows assigning a service principal or managed service identity to nodes and matching pods to an Azure identity. This provides credentials through the metadata service to access Vault through Azure authentication. However, Azure authentication in Vault only supports system-assigned identities, while AKS Pod Identity uses user-assigned identities, so pods cannot currently use Azure authentication to access Vault.

1. Vault with AKS
Pod Identity
Now only a little broken!

2. The Challenge
Static Identities are bad
Vault should be deployed on K8s
Azure resources should use MSIs

3. The Solution
AKS Pod Identity

4. What is AKS Pod Identity?
 Open source project from Microsoft
 Assigns a Service Principal or MSI to
Nodes
 Matches pods to an Azure Identity
 Provides credentials through the
Metadata Service

5. How are we going to use it?
Access Vault through
Azure Auth
Vault Configuration
for Azure Auth

6. AKS Pod Identity Components
MIC
NMI
Node
IMDSAKS SP
Az ID

7. Azure Identity Association
MIC
vault-msiAzure Identity CR
Azure Identity Binding CR
Pod labels

8. Pod Identity Assignment
MICVault
Node
AKS SPvault-msi
Pod label

9. Pod Token Acquisition
NMIVault
Node IMDS
vault-msi

10. A slight problem…
 Azure Auth only supports System Assigned MSIs
 Pod Identity uses User Assigned MSIs
 Can't use Azure Auth for the pods… yet

11. Thank You!
 Ned Bellavance
 @ned1313
 https://nedinthecloud.com
 https://github.com/ned1313/hashitalks-aks-pod-id
 http://bit.ly/getting-started-vault