Private App registration

[arodindev]

We want to authenticate to an Amazon EKS cluster using Azure Entra ID. For that we have created an Azure app that issues an ID token containing the Entra ID groups information of the user. For getting started we used this guide https://aws.amazon.com/blogs/containers/using-azure-active-directory-to-authenticate-to-amazon-eks/

This works fine when the "Allow public client flow" is enabled. However, due to internal security regulations we are forced to set the app to private. There is a community version of kubelogin that allows to provide a --oidc-client-secret flag. Do we have something similar with the Azure kubelogin and can someone guide me on how to set this up?

Thanks!

[weinong]

I think https://azure.github.io/kubelogin/topics/k8s-oidc-aad.html should work for you

[arodindev]

This config indeed worked for me

kubectl config set-credentials "azure-user" \
  --exec-api-version=client.authentication.k8s.io/v1beta1 \
  --exec-command=kubelogin \
  --exec-arg=get-token \
  --exec-arg=--environment \
  --exec-arg=AzurePublicCloud \
  --exec-arg=--server-id \
  --exec-arg=$AAD_CLIENT_ID \
  --exec-arg=--client-id \
  --exec-arg=$AAD_CLIENT_ID \
  --exec-arg=--tenant-id \
  --exec-arg=$AAD_TENANT_ID \
  --exec-arg=--login \
  --exec-arg=interactive

thank you @weinong