Azure Managed Application with AKS and deployment-time or cross-tenant role assignments to VM and Pod Managed Identities

In the following series of four videos, we look at a more advanced and “experimental” Azure Managed Application that deploys Azure Kubernetes Service (AKS), Azure Managed Identity, and performs some cross-resource group role assignments. We also walk through with using Azure Instance Metadata Service and AKS Pod Identity to obtain access tokens for interacting with Azure Data Lake Storage and ARM REST APIs.

Before diving into the videos below, you may first want to watch the two videos in “Simple Azure Managed Application: creating, testing, and publishing in Partner Center”.

You can see most of the sample commands and ARM templates used in the videos at https://github.com/arsenvlad/azure-managed-app-aks-managed-identity.

Important: As we’ll discuss in the first video below, currently (September 2020), there are some capability-gaps when Azure Managed Application deploys an AKS resource. Azure Marketplace certification of such a managed app would be “by exception”. Therefore, if you are working with a Microsoft contact, please double-check with them regarding your specific scenario before starting your implementation.

Reminder: When building your Azure Application ARM templates for submission to Azure Marketplace, please make sure to carefully follow all of the guidelines and best practices described here and be ready to make fixes and changes based on manual review feedback.

Video #1 of 4: Azure Managed Application with AKS and deployment-time Role Assignments to Managed Identities

Tip: Play the video full screen.

Video #2 of 4: Using AKS node’s managed identity to access Azure Data Lake Storage in Azure Managed Application resource group

Tip: Play the video full screen.

Video #3 of 4: Adding cross-tenant role assignments for Managed Identity in Azure Managed Application

Tip: Play the video full screen.

Video #4 of 4: Using AKS Pod-specific Identity to make ARM REST API calls to resources in Azure Managed Application Resource Group

Tip: Play the video full screen.

Related Video: Refreshing Azure Managed Application Permissions

You may also want to review a related video about “Refreshing Azure Managed Application permissions and using Managed App’s Identity”.

Thank you!

Please leave feedback and questions below or on Twitter https://twitter.com/ArsenVlad

Image for post
Image for post

Written by

Principal Engineer / Architect, FastTrack for Azure at Microsoft

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store