DevOps KB Pages

OIDC (OpenID Connect) is the glue that binds the Kubernetes Service Account (SA) → Azure Managed Identity (MI) → Federated Credential chain. Here’s what’s really happening behind the scenes in AKS + Microsoft Entra ID (formerly Azure AD). 🔐 The Role of OIDC in the AKS–Azure Identity Chain 1. OIDC Issuer: The Cluster’s Identity Provider When you enable OIDC on your AKS cluster, Azure assigns it an OIDC issuer URL , like: https: //eastus.oic.prod-aks.azure.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/ This URL acts like a mini identity provider (IdP) for your cluster. Inside the cluster, Kubernetes Service Accounts can issue JWT tokens that are signed by this OIDC issuer. Each token includes claims like: iss → the OIDC issuer URL sub → system:serviceaccount:<namespace>:<serviceaccount> aud → the audience you request when you create the token Those claims prove “This token was issued by this AKS cluster for this Service Account.” 2. Federated Cr...

Quick decision tree (what to do) Have resource in Azure but not in state? → terraform import (Row 4, 8, 13). Have resource in state but not in config (and you want to keep it in Azure)? → terraform state rm (Row 6). Renamed/moved resources in code? → terraform state mv to map old address to new (Row 14–15). Portal edits conflict with .tf? → Let TF overwrite, or add ignore_changes for specific fields (Row 2, 10–11). Plan wants to destroy & recreate but you need continuity? → Check if the change really requires replace; if yes, consider create_before_destroy (when supported), or a migration strategy (Row 9). # .tf declares resource? In state ? Exists in Azure ? Situation / Drift terraform plan shows apply result Typical fix / notes 1 ✅ ✅ ✅ No drift No changes N/A Happy path. 2 ✅ ✅ ✅ (props changed in portal) Property drift Update in-place (change block) Terraform updates Azure to match .tf Or use lifecycle { ignore_changes = [...] } if portal edits are intentional. 3 ✅ ✅ ❌ Resou...