|
| 1 | +--- |
| 2 | +title: "How to use managed identity with Bridge to Kubernetes" |
| 3 | +ms.technology: vs-azure |
| 4 | +ms.date: 04/28/2021 |
| 5 | +ms.topic: "conceptual" |
| 6 | +description: "Learn how to use Azure Active Directory (Azure AD) managed identity in an AKS cluster with Bridge to Kubernetes" |
| 7 | +monikerRange: ">=vs-2019" |
| 8 | +manager: jmartens |
| 9 | +author: ghogen |
| 10 | +ms.author: ghogen |
| 11 | +--- |
| 12 | +# Use managed identity with Bridge to Kubernetes |
| 13 | + |
| 14 | +If your AKS cluster uses [managed identity](/azure/active-directory/managed-identities-azure-resources/overview) security features to secure access to secrets and resources, Bridge to Kubernetes needs some special configuration to ensure it can work with these features. An Azure Active Directory (AD) token needs to be downloaded to the local machine to ensure that local execution and debugging is properly secured, and this requires some special configuration in Bridge to Kubernetes. This article shows how to configure Bridge to Kubernetes to work with services that use managed identity. |
| 15 | + |
| 16 | +## How to configure your service to use managed identity |
| 17 | + |
| 18 | +To enable a local machine with support for managed identity, in the *KubernetesLocalConfig.yaml* file, in the `enableFeatures` section, add `ManagedIdentity`. Add the `enableFeatures` section if it's not already there. |
| 19 | + |
| 20 | +```yaml |
| 21 | +enableFeatures: |
| 22 | + ManagedIdentity |
| 23 | +``` |
| 24 | +
|
| 25 | +> [!WARNING] |
| 26 | +> Be sure to only use managed identity for Bridge to Kubernetes when working with dev clusters, not production clusters, because the Azure AD token is fetched to the local machine, which presents a potential security risk. |
| 27 | +
|
| 28 | +If you don't have a *KubernetesLocalConfig.yaml* file, you can create one; see [How to: Configure Bridge to Kubernetes](configure-bridge-to-kubernetes.md). |
| 29 | +
|
| 30 | +## How to fetch the Azure Active Directory tokens |
| 31 | +
|
| 32 | +You must ensure that you are relying on either <xref:Azure.Identity.DefaultAzureCredential> or <xref:Azure.Identity.ManagedIdentityCredential> in code when fetching the token. |
| 33 | +
|
| 34 | +The following C# code shows how to fetch storage account credentials when you use `ManagedIdentityCredential`: |
| 35 | + |
| 36 | +```csharp |
| 37 | +var credential = new ManagedIdentityCredential(miClientId); |
| 38 | +Console.WriteLine("Created credential"); |
| 39 | +var containerClient = new BlobContainerClient(new Uri($"https://{accountName}.blob.windows.net/{containerName}"), credential); |
| 40 | +Console.WriteLine("Created blob client"); |
| 41 | +``` |
| 42 | + |
| 43 | +The following code shows how to fetch storage account credentials when you use DefaultAzureCredential: |
| 44 | + |
| 45 | +```csharp |
| 46 | +var credential = new DefaultAzureCredential(); |
| 47 | +Console.WriteLine("Created credential"); |
| 48 | +var containerClient = new BlobContainerClient(new Uri($"https://{accountName}.blob.windows.net/{containerName}"), credential); |
| 49 | +Console.WriteLine("Created blob client"); |
| 50 | +``` |
| 51 | + |
| 52 | +To learn how to access other Azure resources using managed identity, see the [Next steps](#next-steps) section. |
| 53 | + |
| 54 | +## Receive Azure alerts when tokens are downloaded |
| 55 | + |
| 56 | +Whenever you use Bridge to Kubernetes on a service, the Azure AD token is downloaded to the local machine. You can enable Azure alerts to be notified when this occurs. For information, see [Enable Azure Defender](/azure/security-center/enable-azure-defender). Please be aware that there is a charge (after a 30-day trial period). |
| 57 | + |
| 58 | +## Next steps |
| 59 | + |
| 60 | +Now that you've configured Bridge to Kubernetes to work with your AKS cluster that uses managed identity, you can debug as normal. See [bridge-to-kubernetes.md#connect-to-your-cluster-and-debug-a-service]. |
| 61 | + |
| 62 | +Learn more about using managed identify to access Azure resources by following these tutorials: |
| 63 | + |
| 64 | +- [Tutorial: Use a Linux VM system-assigned managed identity to access Azure Storage](/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-storage) |
| 65 | +- [Tutorial: Use a Linux VM system-assigned managed identity to access Azure Data Lake Store](/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-datalake) |
| 66 | +- [Tutorial: Use a Linux VM system-assigned managed identity to access Azure Key Vault](/azure/active-directory/managed-identities-azure-resources/tutorial-linux-vm-access-nonaad) |
| 67 | + |
| 68 | +There are other tutorials in that section as well for using managed identity to access other Azure resources. |
| 69 | + |
| 70 | +## See also |
| 71 | + |
| 72 | +[Azure Active Directory](/azure/active-directory/managed-identities-azure-resources/) |
0 commit comments