Azure Managed Application with AKS and deployment-time or cross-tenant role assignments to VM and Pod Managed Identities

In the following series of four videos, we look at a more advanced and “experimental” Azure Managed Application that deploys Azure Kubernetes Service (AKS), Azure Managed Identity, and performs some cross-resource group role assignments. We also walk through with using Azure Instance Metadata Service and AKS Pod Identity to obtain access tokens for interacting with Azure Data Lake Storage and ARM REST APIs.

Before diving into the videos below, you may first want to watch the two videos in “Simple Azure Managed Application: creating, testing, and publishing in Partner Center”.

You can see most of the sample commands and ARM templates used in the videos at https://github.com/arsenvlad/azure-managed-app-aks-managed-identity.

Important: As we’ll discuss in the first video below, currently (August 2021), there are some capability-gaps when Azure Managed Application deploys an AKS resource. Before developing Azure Managed Application that includes AKS or containers, please review the document “Usage of Azure Kubernetes Services (AKS) and containers in managed application” which lists important rules and limitations.

Reminder: When building your Azure Application ARM templates for submission to Azure Marketplace, please make sure to carefully follow all of the guidelines and best practices described here and be ready to make fixes and changes based on manual review feedback.

Video #1 of 4: Azure Managed Application with AKS and deployment-time Role Assignments to Managed Identities

Video #2 of 4: Using AKS node’s managed identity to access Azure Data Lake Storage in Azure Managed Application resource group

Video #3 of 4: Adding cross-tenant role assignments for Managed Identity in Azure Managed Application

Video #4 of 4: Using AKS Pod-specific Identity to make ARM REST API calls to resources in Azure Managed Application Resource Group

Related Video: Refreshing Azure Managed Application Permissions

Thank you!

Please leave feedback and questions below or on Twitter https://twitter.com/ArsenVlad

Principal Engineer / Architect, FastTrack for Azure at Microsoft