Skip to content

Instantly share code, notes, and snippets.

@vxav

vxav/capz_workload_identities.md

Created April 1, 2025 15:08
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save vxav/dbda321c13e62df5a70b8610c7ebae1d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save vxav/dbda321c13e62df5a70b8610c7ebae1d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
capz_workload_identities.md 
# openssl genrsa -out sa.key 2048
# openssl rsa -in sa.key -pubout -out sa.pub

export RESOURCE_GROUP="glean"
export LOCATION="westeurope"
export AZURE_STORAGE_ACCOUNT="oidcissuer$(openssl rand -hex 4)"
export AZURE_STORAGE_CONTAINER="oidc-test"

# Create Azure blob storage and account
# az group create --name "${RESOURCE_GROUP}" --location "${LOCATION}"
az storage account create --resource-group "${RESOURCE_GROUP}" --name "${AZURE_STORAGE_ACCOUNT}" --allow-blob-public-access true
az storage container create --name "${AZURE_STORAGE_CONTAINER}" --public-access blob

# Generate discovery document
cat <<EOF > openid-configuration.json
{
  "issuer": "https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/",
  "jwks_uri": "https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/openid/v1/jwks",
  "response_types_supported": [
    "id_token"
  ],
  "subject_types_supported": [
    "public"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ]
}
EOF

# Upload discovery document
az storage blob upload \
  --container-name "${AZURE_STORAGE_CONTAINER}" \
  --file openid-configuration.json \
  --name .well-known/openid-configuration

# Is it publicly accessible?
curl -s "https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/.well-known/openid-configuration"

# Generate jwks document
tsh scp root@glean-hgrgt:/etc/kubernetes/pki/sa.pub .
azwi jwks --public-keys sa.pub --output-file jwks.json

# Upload jwks document
az storage blob upload \
  --container-name "${AZURE_STORAGE_CONTAINER}" \
  --file jwks.json \
  --name openid/v1/jwks

# Is it publicly accessible?
curl -s "https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/openid/v1/jwks"
# https://oidcissuerae8e2375.blob.core.windows.net/oidc-test



export USER_ASSIGNED_MANAGED_IDENTITY_NAME="glean-capz"
export SERVICE_ACCOUNT_ISSUER="https://${AZURE_STORAGE_ACCOUNT}.blob.core.windows.net/${AZURE_STORAGE_CONTAINER}/"
export SERVICE_ACCOUNT_NAME="capz-manager"
export SERVICE_ACCOUNT_NAMESPACE="giantswarm"

# create a federated credential for the user assigned managed identity
az identity federated-credential create \
  --name "${SERVICE_ACCOUNT_NAME}" \
  --identity-name "${USER_ASSIGNED_MANAGED_IDENTITY_NAME}" \
  --resource-group "${RESOURCE_GROUP}" \
  --issuer "${SERVICE_ACCOUNT_ISSUER}" \
  --subject "system:serviceaccount:${SERVICE_ACCOUNT_NAMESPACE}:${SERVICE_ACCOUNT_NAME}"
  
  
export USER_ASSIGNED_IDENTITY_NAME="glean-wc"

# create a user assigned managed identity for workload cluster
az identity create -g "${RESOURCE_GROUP}" -n "${USER_ASSIGNED_IDENTITY_NAME}"


# assign contributor role to the user assigned managed identity
az role assignment create --assignee "${USER_ASSIGNED_IDENTITY_NAME}" \
  --role "Contributor" \
  --scope "/subscriptions/${SUBSCRIPTION_ID}"
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment