Error during POD deployment for configuring Workload identity

Sriramulu, Latha 0 Reputation points
2024-03-26T12:18:57.9+00:00

I follow this document, https://learn.microsoft.com/en-us/azure/aks/learn/tutorial-kubernetes-workload-identity#create-an-aks-cluster

And seeing this error on running logs command for the pod

kubectl logs pods/mypod

I am learning this topic, not sure which role to assign for reading secrets from keyvalut, what is difference between role assignment and role binding.

I have assigned keyvayult reader role for the Managed Identity.

Should I do it for the service account ? Pls guide. 

GET https://xxxxx/secrets/yyyy/

RESPONSE 403: 403 Forbidden

ERROR CODE: Forbidden

{

  "error": {

"code": "Forbidden",

"message": "Caller is not authorized to perform action on resource.\r\nIf role assignments, deny assignments or role definit
ions were changed recently, please observe propagation time.\r\nCaller: appid=foid=;iss=https://sts.windows.net/00000b/\r\nAction: 'Microsoft.KeyVault/vaults/secrets/getS

ecret/action'\r\nResource: 'scope path '\r\nAssignment: (not found)\r\nDenyAssignmentId: null\r\nDecisionReason: null \r\

nVault: kv-web-dev;location=europe\r\n",
"innererror": {

  "code": "ForbiddenByRbac"

}

  }

}
``````json
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
672 questions

3 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay-MSFT 16,031 Reputation points Microsoft Employee
    2024-03-29T16:35:41.1033333+00:00

    @Sriramulu, Latha

    Thank you for posting your query on Microsoft Q&A, from above description I could understand that you are getting error "message": "Caller is not authorized to perform action on resource." while accessing key vault with managed identity for AKS.

    Please do correct me if this is not the ask by responding in the comments section.

    az keyvault set-policy --name "${KEYVAULT_NAME}" --secret-permissions get --spn "${USER_ASSIGNED_CLIENT_ID}"
    • In order to achieve this you must ensure that you have Access policies enabled in Key Vault and not RBAC role:

    User's image

    • Kindly assign role "Key Vault Secret User" to the managed identity account.
    • Validate the "Networking > Firewall rules and try testing the behavior with Allow public access from all networks User's image

    Please "Accept the answer (Yes)" and "share your feedback ". This will help us and others in the community as well.

    Thanks,

    Akshay Kaushik

    0 comments
  2. Sriramulu, Latha 0 Reputation points
    2024-04-01T12:27:16.7166667+00:00

    Hi Akshay,

    Thank you for your inputs.

    I was able to resolve the issue by assigning Keyvalut admin role to the managed identity.

    For me, I have no control over the access policies, which is disabled. RBAC is enabled.

  3. Sriramulu, Latha 0 Reputation points
    2024-04-01T12:28:52.1066667+00:00

    I have another query, like the keyvalut in this example now I am trying to access azurefile share storage.

    Any referral documents for the same ?

    I try by mounting the file share using PV and PVC and the below POD configuration

    I dont know if any other ways to achieve the same.

    I see this discussion forum https://github.com/Azure/AKS/issues/3432#issuecomment-1805051548

    kind: Pod

apiVersion: v1

metadata:

  name: workload-identity-pod

  namespace: default

  labels:

azure.workload.identity/use: "true"

spec:

  serviceAccountName: workload-service-account

  containers:
``````yaml
- name: oidc

  image: ghcr.io/azure/azure-workload-identity/msal-go

  env:

  - name: KEYVAULT_URL

    value: https://kvwebdev.vault.azure.net/

  - name: SECRET_NAME

    value: url

  volumeMounts:

  - mountPath: /mnt/wi

    name: azure-workload

    readOnly: false
``````yaml
nodeSelector:
kubernetes.io/os: linux
```  volumes: 

```yaml
- name: azure-workload

  persistentVolumeClaim: 

    claimName: wi-pvc