-
Notifications
You must be signed in to change notification settings - Fork 189
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: clarify usage in system-assigned mode #405
Conversation
Signed-off-by: Anish Ramasekar <anish.ramasekar@gmail.com>
7012f0d
to
2052113
Compare
AKS uses system-assigned managed identity as [cluster managed identity](https://docs.microsoft.com/en-us/azure/aks/use-managed-identity). This managed identity shouldn't be used to access Keyvault. You should consider using a [User-assigned managed identity](./user-assigned-msi-mode) instead. | ||
|
||
Before this step, you need to turn on system-assigned managed identity on your cluster VM/VMSS. | ||
Before this step, you need to [enable system-assigned managed identity](https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-cli-windows-vm#enable-system-assigned-managed-identity-on-an-existing-azure-vm) in your cluster VM/VMSS. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This managed identity shouldn't be used to access Keyvault. You should consider using a User-assigned managed identity instead.
Is this guidance no longer valid?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I confirmed this was never the case. There is no system-assigned managed identity created in the cluster. I've added some context in the PR description.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yea I saw the PR description. I guess the key for this PR is to guide users to create system msi on the node and remove any reference about the cluster managed identity right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, that's right. The cluster managed identity is a user-assigned managed identity, so we're stubbing that out of the doc. I've added a doc ref on how to enable system-assigned managed identity. The rest of the doc shows how to verify the system-assigned managed identity exists and role assignments.
Signed-off-by: Anish Ramasekar anish.ramasekar@gmail.com
Reason for Change:
type: SystemAssignedIdentity
, there is no system-assigned managed identity in the VM/VMSS.Requirements
Issue Fixed:
fixes #388
fixes #389
Does this change contain code from or inspired by another project?
If "Yes," did you notify that project's maintainers and provide attribution?
Special Notes for Reviewers: