Skip to content

Instantly share code, notes, and snippets.

@devorbitus

devorbitus/README.md

Last active February 20, 2025 17:03
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save devorbitus/e4fbae80fb43ed357068339aaadf6074 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save devorbitus/e4fbae80fb43ed357068339aaadf6074 to your computer and use it in GitHub Desktop.
Download ZIP
High-Level Plan for Deploying an Akeyless Gateway in an AKS Cluster Using Workload Identity
Raw
README.md

High-Level Plan for Deploying an Akeyless Gateway in an AKS Cluster Using Workload Identity

Deploying an Akeyless Gateway into an Azure Kubernetes Service (AKS) cluster using Azure Workload Identity allows the Gateway to authenticate using its own Azure AD Identity without storing long-lived credentials. This setup ensures secure, seamless authentication through Azure AD authentication methods.

1. Prerequisites

Before proceeding, ensure you have:

  • An AKS Cluster (running Kubernetes 1.21+)
  • Azure CLI installed and authenticated (az login)
  • Helm 3 installed
  • kubectl configured for AKS
  • Akeyless SaaS Account
  • Azure Managed Identity created and assigned the necessary permissions

2. Create an Azure Managed Identity for Akeyless Gateway

  1. Create a Managed Identity:

    az identity create --name AkeylessGatewayMI --resource-group <your-resource-group>
    • Capture the client ID and principal ID.

  2. Assign IAM Role to Managed Identity:

    az role assignment create --assignee <principal-id> --role "Managed Identity Operator" --scope /subscriptions/<subscription-id>

    This allows the AKS service account to use the Managed Identity.

3. Enable Azure Workload Identity in AKS

  1. Enable OIDC Issuer & Workload Identity:

    az aks update --resource-group <your-resource-group> --name <your-aks-cluster> --enable-oidc-issuer --enable-workload-identity
    • This ensures AKS supports Azure Workload Identity.

  2. Get the AKS OIDC Issuer URL:

    az aks show --resource-group <your-resource-group> --name <your-aks-cluster> --query "oidcIssuerProfile.issuerUrl" -o tsv
    • Save this issuer URL for configuring Azure AD authentication.

4. Configure Kubernetes Service Account with Workload Identity

  1. Create a Kubernetes Namespace for Akeyless: 
    kubectl create namespace akeyless
  2. Create a Kubernetes Service Account (SA): 
    apiVersion: v1
kind: ServiceAccount
metadata:
  name: akeyless-gateway-sa
  namespace: akeyless
  annotations:
    azure.workload.identity/client-id: "<client-id>"
    Apply the manifest: 
    kubectl apply -f akeyless-sa.yaml

5. Deploy Akeyless Gateway using Helm

  1. Add Akeyless Helm Repository: 
    helm repo add akeyless https://helm.akeyless.io
helm repo update
  2. Create the Azure AD Authentication Method the Gateway will use
  • Log into Akeyless Web Console (https://console.akeyless.io).
  • Navigate to Authentication MethodsAdd new authentication.
  • Select Azure AD and configure it:
    • Tenant ID: <your-azure-tenant-id>
  • Copy the Access ID to be used in the next step

  1. Install Akeyless Gateway with Workload Identity:

    • Download the Helm values template and input the Access ID
    • Set the Gateway Access ID and set the correct access type in the values file. Be sure to configure the kubernetes service account to use the one we created.
    helm install akeyless-gateway akeyless/gateway --values values.yaml

6. Validate Deployment

  1. Check Akeyless Gateway Logs: 
    kubectl logs -n akeyless -l app.kubernetes.io/name=akeyless-gateway

Conclusion

This setup ensures that: ✅ Akeyless Gateway runs securely in AKS
Uses Azure Workload Identity to authenticate with Akeyless
Secrets are retrieved without storing long-lived credentials

For further configurations, visit Akeyless Docs. 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment