KB:How OIDC Connects AKS Service Accounts to Azure Managed Identities MI

OIDC (OpenID Connect) is the glue that binds the Kubernetes Service Account (SA)Azure Managed Identity (MI)Federated Credential chain.

Here’s what’s really happening behind the scenes in AKS + Microsoft Entra ID (formerly Azure AD).

🔐 The Role of OIDC in the AKS–Azure Identity Chain

1. OIDC Issuer: The Cluster’s Identity Provider

When you enable OIDC on your AKS cluster, Azure assigns it an OIDC issuer URL, like:

https://eastus.oic.prod-aks.azure.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/

This URL acts like a mini identity provider (IdP) for your cluster.

Inside the cluster, Kubernetes Service Accounts can issue JWT tokens that are signed by this OIDC issuer.
Each token includes claims like:

  • iss → the OIDC issuer URL

  • subsystem:serviceaccount:<namespace>:<serviceaccount>

  • aud → the audience you request when you create the token

Those claims prove “This token was issued by this AKS cluster for this Service Account.”

2. Federated Credential: The Bridge to Entra ID

In Microsoft Entra (Azure AD), you create a Federated Credential inside a User-Assigned Managed Identity (UAMI) or an App Registration.

That federated credential tells Entra ID:

“I trust tokens coming from this OIDC Issuer URL, but only if the sub claim matches system:serviceaccount:<namespace>:<serviceaccount>.”

So when your Kubernetes pod (running with that SA) requests an Azure token:

  1. The pod gets a signed OIDC JWT from the AKS OIDC endpoint.

  2. The pod presents that token to Azure’s identity endpoint.

  3. Entra ID validates:

    • The signature (via the OIDC Issuer’s JWKS keys),

    • The iss (issuer matches the URL you entered),

    • The sub (matches the SA you configured in the federated credential).

If all checks out — ✅ Azure issues an access token for the Managed Identity.

3. Managed Identity: The Azure-side Actor

Once the token is issued, your workload in the pod is acting as that Managed Identity — it can:

  • Authenticate to Azure Resource Manager,

  • Access Key Vault, Storage, Cosmos DB, etc.

  • All without storing secrets or client secrets in the pod.

So in plain English:

OIDC = the authentication handshake
Federated Credential = the trust mapping
Managed Identity = the Azure persona
Service Account = the Kubernetes persona

And the handshake path is:

K8s Service Account  →  AKS OIDC Issuer  →  Entra Federated Credential  →  Managed Identity  →  Azure Resource Access

🧩 Visual summary

[ Pod ]
   |
   └── uses ServiceAccount (namespace: dev, name: my-app-sa)
         |
         └── AKS issues OIDC JWT token (iss + sub)
                |
                └── Azure Entra ID Federated Credential validates it
                       |
                       └── issues Azure access token for Managed Identity

⚙️ Why this matters

  • No secrets — eliminates need for AZURE_CLIENT_SECRET.

  • Per-pod identity — each pod can have its own Managed Identity securely.

  • Automatic rotation — JWTs and access tokens are short-lived.

  • Cross-cloud portability — same concept works in GKE, EKS, etc. (each has its own OIDC issuer).

Comments

Post a Comment

Popular posts from this blog

KB: Azure ACA Container fails to start (no User Assigned or Delegated Managed Identity found for specified ClientId)

Image
When deploying secure workloads using Azure Container Apps (ACA) , teams often face confusion between User Assigned Managed Identities (UAMI) and App Registrations . While both entities are visible in Azure Active Directory and have similar identifiers (Application ID, Object ID), they serve very different purposes . This confusion can lead to authentication failures when accessing services like Azure App Configuration or Key Vault . A common issue occurs when a container app is configured with a managed identity, but the environment variables or role assignments mistakenly reference an App Registration instead, causing errors like: "No User Assigned or Delegated Managed Identity found for specified ClientId" This article breaks down the difference between UAMI and App Registrations, explains why this issue happens, and outlines the correct approach to resolve it. Symptoms Azure Container App fails to authenticate to Azure App Configuration or other services. Logs...
Read more

Electron Process Execution Failure with FSLogix

  Technical Note: Electron Process Execution Failure with FSLogix 1. Overview When running Electron-based applications in environments using FSLogix Profile or Office Containers , users may encounter issues where the Electron process fails to launch or execute properly . This behavior has been observed in Azure Virtual Desktop (AVD) , Windows Virtual Desktop (WVD) , and other environments where FSLogix filter drivers are active. 2. Symptoms Electron-based applications (e.g., desktop apps built on Electron, CLI wrappers) do not start , remain unresponsive, or terminate silently. No visible logs or error messages are generated by the application. Standard executables run correctly when placed outside of the FSLogix-controlled profile path (e.g., copying to C:\Temp allows execution). The issue is reproducible across all Electron apps in the FSLogix-managed profile. 3. Root Cause The issue is linked to FSLogix filter drivers ( frxdrv , frxdrvvt , frxccd ) interfe...
Read more

KB:RMM VS DEX (Remote Monitoring Management vs Digital Employee Experience)

Digital Employee Experience (DEX) and Remote Monitoring and Management (RMM) tools serve different purposes and cater to distinct aspects of IT and employee management. Digital Employee Experience (DEX) Focus: Enhancing the overall experience of employees with their digital workplace tools and environment. Key Features: User Experience Monitoring: Tracks how employees interact with software and hardware, identifying issues impacting productivity. Performance Analytics: Provides insights into the performance of applications from the end-user's perspective. Feedback Mechanisms: Allows employees to report issues and give feedback on their digital tools and environment. Employee Well-being: Monitors factors that affect employee satisfaction and well-being, such as system performance and usability. Proactive Support: Identifies potential issues before they become significant problems, enabling proactive IT support. Goals: Improve employee satisfaction and productivity. Ensure a sm...
Read more