Install Workload Identity on AKS

nico.stylemans

25/01/2023

Reference to Microsoft Documentation : https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview

Step 1 : Install / Verify Requirements

To use and install Workload Identity on you AKS cluster , you need the following requirements :

  • Azure Cli Version 2.40.0 or higher

    New installation :
    https://learn.microsoft.com/en-us/cli/azure/install-azure-cli

    Existing Installation :
    – Check version with : Az version
    – Upgrade version with : Az upgrade
  • AKS-preview extension 0.5.102 or higher

    Check version with: Az version



    if aks-preview is not installed : az extension add -name aks-preview
    if aks-preview is installed but wrong version : az extension update -name aks-preview

    Note: if aks-preview was already installed and you performed an az upgrade the extension is automatically update aswell

  • AKS-Cluster 1.21 or Higher

    Upgrade cluster : https://learn.microsoft.com/en-us/azure/aks/upgrade-cluster?tabs=azure-cli

Step 2 : Enable workload Identity on AKS

  1. Register the “EnableWorkloadIdentityPreview” feature

    az feature register --namespace "Microsoft.ContainerService" --name "EnableWorkloadIdentityPreview"

    The registration can take a few minutes to be registered, so be patient

  2. Check if the feature is registered

    az feature show --namespace "Microsoft.ContainerService" --name "EnableWorkloadIdentityPreview"

  3. Register/Reregister the ContainerService provider

    After the worloadIdentityPreview is registered you need to Register/Register the Microsoft.ContainerService to propagate the changes

    az provider register --namespace Microsoft.ContainerService

  4. Enable Workload Identity on the Cluster
    • Through Az Cli

      Update Existing Cluster :

      az aks update -n <ClusterName> -g <ResourceGroupName> --enable-oidc-issuer --enable-workload-identity

      Create New Cluster:

      az aks create -n <ClusterName> -g <ResourceGroupName> --enable-oidc-issuer --enable-workload-identity –generate-ssh-keys –node-count 1

    • Through ARM/Bicep

      To be completed

In the output of the commands you should find you OIDCIssuerProfile:


You can easily retrieve the Profile by running the following command :

az aks show -n <ClusterName> -g <ResourceGroupName> --query "oidcIssuerProfile.issuerUrl" -otsv

Additionally two pods are deployed on your AKS in the kube-system namespace

Configuring the Managed Idenities will be covered in the next Post