I'm facing a challenge with my AKS clusters that have multiple managed identities created, possibly by Azure. I'm trying to determine how to specify which identity to use when injecting a Key Vault secret. I've tried different methods, including adding an annotation and setting an environment variable, but none have worked out so far. I'm currently working with a simplified test pod and it's stuck in the ContainerCreating state. I've run the Azure CLI command `az aks show` to retrieve the `Object ID` of the expected identity, yet I keep encountering an error about needing to specify the clientId or resourceId due to multiple user-assigned identities. Anyone have tips or solutions?
2 Answers
Make sure you're adding the client id annotation to the service account rather than directly on the pod. That’s crucial for workload identity to work properly. It looks like your configuration is mixing some other methods, so if you're aiming for workload identity, focus on that annotation.
Did you set up the federated credential for the service account in that namespace? You need to create a trust relationship for the user-assigned managed identity to properly access Azure resources. Check the documentation to ensure you've covered that step.
I've tried adding the annotation on all the service accounts in the namespace. The only one without the Client ID annotation is the default account in the default namespace. Could that be causing the issue?