Fix Azure AKS Pod Identity Errors
When working with Azure AKS, you may encounter a configuration error that prevents your deployment from working. This guide explains the most common mistake with pod identity and shows the exact fix.
A Common Mistake
Using service principal credentials in pods instead of Azure AD Pod Identity (or Workload Identity) to access Azure resources.
The incorrect command:
kubectl create secret generic azure-creds --from-literal=client-id=xxx --from-literal=client-secret=yyy
# Pod mounts secret to authenticate to Azure
Error output:
Pod uses static credentials.
If the pod is compromised, credentials are extracted.
Secret rotation requires pod restart.
Credentials in etcd (encrypted at rest but still in etcd).
The Correct Approach
The right way to configure pod identity in Azure AKS:
az aks enable-addons --addons pod-identity --name my-aks --resource-group my-rg
az identity create --name my-identity --resource-group my-rg
az identity federated-credential create --name my-cred --identity-name my-identity --resource-group my-rg --issuer <oidc-issuer> --subject system:serviceaccount:default:my-sa
kubectl annotate sa my-sa azure.workload.identity/client-id=<identity-client-id>
Successful result:
Pod identity configured.
kubectl describe pod my-app
Azure AD Pod Identity assigns a managed identity to the pod. Pod authenticates to Azure resources without any credentials. All access is audited via Azure AD.
How to Prevent This
Use Pod Identity for pods that need to access Azure resources. Pod Identity assigns Azure AD identities to individual pods. Benefits: no secrets, scoped permissions, audit logging. Prefer Workload Identity (newer, simpler). Both eliminate static credentials in pods.
FAQ
Built by the developers of Doda Browser, DodaZIP, and Durga Antivirus Pro. Secure your cloud with DodaTech.
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro