Member-only story
Using Pod Identity in AKS with Terraform
Terraform-izing Microsoft’s tutorial
Context
Most cloud providers have a way to give the Pods running in Kubernetes an “identity” that maps back to a role within the respective cloud providers.
For Amazon it’s IAM Roles for Service Accounts (IRSA), and for GCP it’s Workload Identity. Azure follow’s Google’s naming convention closer with Entra Workload ID.
There’s a decent tutorial on how to set this up manually, but I found I had to dig quite a bit for the right terraform resources to not create things using the azure CLI as they suggest, so I thought I’d share what I found.
The AKS Cluster
The most important additions to a traditional AKS terraform block is that you need to enable the oidc issuer and workload identity.
These will enable the cluster to:
- Properly issue tokens for workloads (i.e. to your Pods)
- Mutate your Pods to inject those tokens using a mutating webhook.
Instead of showing the terraform I used, I’ll just add into the examples in the terraform registry.
// main.tf for the AKS cluster
terraform {
required_providers {
azurerm = {
source = "hashicorp/azurerm"
version =…
